Apple Bug bounty writeups XSS(2021)
2021-05-23 15:45:14 Author: infosecwriteups.com(查看原文) 阅读量:324 收藏

Takashi Suzuki

https://hackerone.com/kamikaze?type=user

Get apple’s reachable host from censys.io

Search query: 17.0.0.0/8 AND 443.https.get.status_code: 200

Censys-CLI & Aquatone

Tool for scrape ip: https://github.com/censys/censys-python

Tool for screenshot: https://github.com/michenriksen/aquatone

  1. Scrape reachable host from censys CLI

censys search -q “17.0.0.0/8 AND 443.https.get.status_code:\”200\”” -query_type ipv4 — fields ip protocols -max-pages 15 -f json -o apple

2. Grep ip address

grep -o ‘[0–9]\{1,3\}\.[0–9]\{1,3\}\.[0–9]\{1,3\}\.[0–9]\{1,3\}’ apple >> ip-apple

3. Adds “https” for ip address in order to use for Aquatone

sed ‘s/^/https:\/\//’ ip-apple >> http-apple

4. Take screenshots

cat http-apple | ./aquatone -ports 443 -http-timeout 9000 -screenshot-timeout 90000 — out apple

I found a site which is vulnerable to XSS.

https://apple.channel.support

1. Create a ticket

2. Upload SVG image with XSS payload in reply

3. When victim views attacker’s SVG image from mobile device, XSS triggers

Reported: 02/16/2021

Fixed & Asked to how to be credited in Hall of Fame page : 31/03/2021


文章来源: https://infosecwriteups.com/apple-bug-bounty-xss-2021-78c2f4fc4106?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh