A short story of Content Spoofing to HTML Injection in Apple using Dangling Markup Injection
Content Spoofing is an injection in which user input is reflected as it is in the application response which can be used in phishing attacks.
During the recon phase, I found itunesconnect.apple.com, subdomain of apple and after digging into it, I had observed that the content of errorKey parameter was reflecting back to the page as shown below
With normal inline Cross Site Scripting(XSS) payloads, the application was giving blank pop up. After trying different scenarios, I have observed that dangling markup injection is possible on vulnerable parameter (errorKey)
Let’s understand the concept of Dangling Markup Injection
For our exploitation, I had used CSS
@import as a payload. The main purpose of @import method is to use multiple style sheets on a page.
Time for the final payload having a broken image linked to itunesconnect.apple.com itself which led to HTML injection.
Payload - https://itunesconnect.apple.com/login?errorKey=%3C%3Cstyle%3E@import%2F%2Fcontent-spoofing-to-possible%20xss%3F%3C---%20Injected%20%3Ca%20href%3Dhttps:%2F%2Fitunesconnect.apple.com%2Flogin%3FerrorKey%3DXSS-NOT-confirmed%3E%3Cimg%20src%3D%22https:%2F%2Fbitenapple.com%2Fmytest.jpeg%22%3E%3C%2Fa%3E%3C%2Fbr%3E%3C%2Fbr%3E%3C%2Fbr%3E%3Ch1%3EVulnerable%20to%20HTML%20Injection%3C%2Fh1%3E
28th July 2021- Reported the issue to Apple Product Security Team.
29th July 2021- Got reply from Apple with the Follow-up ID.
14th September 2021- The issue was patched. Asked Apple Team for an update.
20th September 2021- Apple team acknowledged and asked for the details to mention on their credit page in the next update cycle. The required details was shared the same day.
22nd September 2021- Mailed Apple Team for approval to publish a blog around this issue.
23rd September 2021- Apple Team wanted to review and provide with feedback on the blog . Replied with the draft blog to the Apple.
1st October 2021- Apple Team provided the go ahead to publish the blog.
Dangling markup injection | Web Security Academy
In this section, we'll explain dangling markup injection, how a typical exploit works, and how to prevent dangling…