I looked at all the other parameters shown in an email to see if I could bypass filtering but came up empty. Then another potential place for an XSS came to me: the reply-to parameter! I opened up Apple Mail on my Mac Book, created a new email and eventually came up with this payload:
I added that as the reply-to email and sent it to the AOL I had created. When I tried to reply to the email, my payload triggered!
Here’s the proof of concept video: https://drive.google.com/file/d/0B8sZyyQEiBRpZmd2MGZiY0M5ZVE/view
I was thanked and added to their Hall of Fame for 2017: https://contact.security.aol.com/hof/
Thanks for reading,
Corben Leo (@sxcurity)