I understand this blog is too late, but I want to share how I got 3x Hall of Fame in Apple.
How to Find Target 🎯:
I randomly searched on the Apple Old Hall of Fame page, I got some subdomains.
Tip: Collect all the subdomains and save them into one text file 😉, Use httpx to find alive domains this will save your time.
Try all the vulnerabilities you know 🙌
Now I will explain my findings:
Vulnerability Name: Content Spoofing
Content spoofing, also known as content injection, is a type of security vulnerability that allows an attacker to manipulate the content displayed on a website or application.
Content spoofing can be a result of inadequate input validation or insufficient security controls.
Steps to reproduce:
- Find a targeted URL (http://abi.example.com/)
- Enter any text after the URL to check content spoofing
- I used this one please_go_to_www.evil.com
- This text was reflected on the page.
Note: abi.example.com is the example domain, put your targeted domain.
Now I tried to inject HTML and XSS payloads, But unfortunately, I didn’t get anything 🥲
It's okay… 😉
I reported the vulnerability to Apple in January 2022, and they listed my Name in March 2022.
Note: Patience is more important because Apple takes long months to fix and reply.
Okay… will see in the next blog 👋🙋♂️.
Reach out to me, If you have any queries 🤝
👔 LinkedIn: Abinesh M
📱 Instagram: Abi_Hecker