How a Host Header Injection Bug Earned Me My Fourth Hall of Fame Spot at Apple

Greetings, everyone!

Thank you for joining me as I discuss a recent discovery I made regarding a bug in Apple’s systems. In this article, I’ll share the journey of how I found a host header injection on apple subdomain. My findings led to a valuable acknowledgment from Apple in their Hall of Fame. Additionally, write-ups for my second and third Hall of Fame recognitions will be coming soon.

Without further delay, let’s delve into the intricacies of this discovery.

Lets have a small introduction about me:

My name is Mohaseen , I’m a cyber security enthusiast and a bug bounty hunter. I am learning about bug bounty and web application hacking from 2019 . And I love what I do.

Now let’s understand the bug.

Over the past few months, I have been actively participating in various bug bounty programs without much success. Remembering that my first valid bug came from Apple, I decided to focus my efforts there once again.

To begin, I conducted subdomain enumeration using various tools and my custom automated reconnaissance script. While the script ran, I manually searched for subdomains, checking them on the Wayback Machine and analyzing the URLs for interesting parameters.

After approximately seven hours of continuous hunting, I discovered a subdomain with a URL containing the parameter path=. My initial thought was to explore potential Server-Side Request Forgery (SSRF) or open redirect vulnerabilities. Despite trying several methods, I was unable to find anything significant.

During this process, I realized that my Burp Suite Professional version plugins were not enabled. Once I enabled them, I remembered that I had not used ParamSpider for some time. I decided to run ParamSpider, and upon completion, I noticed the presence of the X-Forwarded-Host header.

I initially tested this with apple.com, which resulted in a response redirecting to apple.com. The response header contained the value Location: https://apple.com/en. Not finding anything unusual, I carefully examined the response and decided to test further by changing the header value to evil.com.

To my surprise, instead of blocking the request, the server redirected me to evil.com. This indicated a significant host header injection vulnerability that could be exploited.

The host header injection vulnerability poses significant security risks, including enabling attackers to redirect users to malicious websites, making phishing attacks more convincing. It allows for the possibility of session hijacking by manipulating the host header to intercept sensitive data. Additionally, it can be exploited to poison web caches, serving malicious content to other users, and bypass security measures by manipulating server logic that relies on the host header. Addressing this vulnerability promptly is crucial to prevent these potential exploits and safeguard user data.

After a 5-month wait, Apple confirmed my report was valid and that I’ll be added to their Hall of Fame. This is my fourth time being included.

Getting 4th HOF from apple is very great feeling. Thank you Infosec community for sharing the knowledge.

I hope you learned something new reading this. Thank you so much for reading. Have a great day😊!