Various bugs in Microsoft Office 365 - Outlook

Microsoft Outlook (web) was my very first target in my security research, something about being able to send an email with an XSS made it that much important to find the vulnerabilities. This will be the list of all the valid findings in no particular order.

Stored XSS using SVG

The video should explain itself, but I mainly think the problem was in the logic of sending null variables in a request. It seems redundant to mention say var1=null so playing around with these variable as well as the content-type variable (changing it to IMAGE/svg+xml)
I manage to find a stored XSS vulnerability.

Outlook XSS using copy and paste

Another interesting discovery was an XSS in the outlook new mail body which required the user to copy (from our evil website) into the new mail body.

Other XSS vulnerabilities in Outlook

There was a bug that was exclusive to Google Chrome users where I inject a link tag and would result in javascript being executed as soon as the victim opened the malicious email (without any other interactions.)
The XSS vector:
<link rel='import' href='data:q,<script>alert(1)</script>'>
Though I actually base64 encoded the actually content of the data uri scheme to further obfiscate the payload. It worked! No video of this though as its pretty straight forward.

Base tag injection (deemed invalid at first but Microsoft changed their mind):

Reflected XSS:


Honor Roll: