5000$ for Apple Stored Xss And Another Blind Xss Still under review

How I found two Xss At Apple that Lead for high/crirical impact

Hamzadzworm
5 min readOct 24, 2022

Hi all, hope you all doing great

i usually post as hamzadzworm but my real name is Abdelkader Mouaz

im going to share with you two vulnerabilities that i found at apple which are a stored and a blind xss they was at apple

after few days of subdomain enumeration i was able to find about 12000 subdomain for apple i put all of them in one list and i used httprobe to see live subdomains, i love to check every subdomain manual to dont miss any interesting thing, day after day i was into an interesting subdomain that have many functions and i notice that this subdomain is interesting because its available for all countries with different subdomains names like every country have an own subdomain for it after i notice that i was sure that its really interesting.

i start checking it as a normal user trying all functions
after checking website functions i notice that iam able to make my profile public and all user can see its.

so its clear that its time to play inside profile now, it try to inject an xss payload inside profile name and bio but i keep getting forbidden 403 they were uing waf against xss.

before give up i notice that there was Location field and i did not expect that i could inject an xss there and thats the point if i dint dexpect that its possible to inject it there so maybe they didnt protect it also xD

i tried just a simple htmli and they accept tags and “ becasue they didnt accept it in other fields but htmli didnt worked so i interecepted request using burpsuite and submit the html i notice that it was encoded while sending request in burp.

so i just replece the coded request using burp after intercepting it and request was sent and htmli work but htmli is very low impact i was hungry and looking for more its time to check if i can get a possible xss here

while trying to inject xss i get forbidden 403 again but becasue i was sure that htmli worked i keep trying all possible payloads one by one just to check whats wrong

that was my first payload it was the simple one:
<script>alert(3)<script>

i notice that word script is blocked
then i tried those:
“-alert(8)-”
‘-alert(8)-’
“;a=alert,a()//
‘;a=confirm,a()//

so inotice that im not able to use (script,confirm,alert)

but iam still able to use tags and “ i moved directly to check word prompt i put

"-prompt(8)-"

and i noticed that it didnt get blocked

so i try to insert an img to see if it will be injected
<img src=”random image link”>

and image was added to my profile

then i tried directly:
<image/src/onerror=prompt(8)>
and i was surprised that it get executed

so i sent a report directly
i also reported it for few different subdomains as i mentioned before every country has his own subdomain

now lets go for the impact which is the important step:

as i mentioned this xss was inside my profile which was public so i was able to takeover account of any user who visit my account becasue xss will executed and sent me cookies that i was able to use and login to him account. : )

i was happy and thinking that it will be accepted but i was surprised after few days that i got duplicate

and they said that its already reported but they mentioned that the same exact find is reported so make each of my two reports duplicated for the second one, after a lot of emails i could proof for them that iam the reporter of the both issues and they verify that.

team response:

first mail that issue was fixed:

after few days i was eligible for hall of fame:

i waited about one month and finally the wanted email was arrived

after few days my name added

you notice that my name was added two times second one is for the blind xss against admin which sent me admin cookies which i will put a write up for it in future after they give me finall response for it

i waited more few days and that was it :D

i hope you enjoyed this write-up i will share more soon thats my twitter account for dm:
https://twitter.com/hamzadzworm

--

--

Responses (2)