I got bored one day and somehow thought of AOL for some reason, so I decided to see if I could find any vulnerabilities in mail.aol.com.
I looked at all the other parameters shown in an email to see if I could bypass filtering but came up empty.
Then another potential place for an XSS came to me: the reply-to parameter! I opened up Apple Mail on my Mac Book, created a new email and eventually came up with this payload:
I added that as the reply-to email and sent it to the AOL I had created. When I tried to reply to the email, my payload triggered!
Here's the proof of concept video
I was thanked and added to their Hall of Fame for 2017 as "CDL": https://contact.security.aol.com/hof/.
Thanks for reading,