Post

Apple Cross-Site Scripting

Posted
By Patrick Henry 1 min read

Last year i was able to find cross-site scripting in one of apple’s subdomains moreover i was able to bypass the firewall

Scanning

after i made subdomain enumeration and parameter fuzzing i found there is a parameter is refleceted in one of the subdomains

Reflected-Parameter

Reflected-Parameter i tried to to use an event handler to execute a javascript as a proof of concept unfortunately the web application firewall blocked it Blocked

Fuzzing the web application firewall

the firewall was blocking the event handlers so i thought maybe some event handlers are not blocked i got wordlist of javascript event handlers from PortSwigger Wordlist i used the burp intruder to make brute force using a list of event handlers to check if there is a event handler that is not blocked and i found multiple event handlers that are not blocked BurpIntruder The final payload

1

" OnPointerEnter=top[/al/.source+/ert/.source](1)

Final-Payload i was able to bypass the web application firewall xss https://media.giphy.com/media/l4EpkVLqUj8BI7OV2/giphy.gif

Google Dorks is here to help

wait i haven’t finished yet i said what if this endpoint is duplicated in another domain i made a simple google dork using keywords i found in the page and i was able to find another domain having the same vulnerable endpoint second

Apple hall of fame

i reported the vulnerability to apple and they put my name in the hall of fame apple_response.png HallofFame

Bug Hutning
Bug Hutning
This post is licensed under CC BY 4.0 by the author.

Trending Tags

0days Bug Hutning windows