Member-only story
Stored XSS in icloud.com — $5000
Hello Guys hope you all are doing well, fine and healthy during this hard time.
Introduction :
Hello, I am Vishal Bharad, from India and working as Penetration Tester, Now today I am going to share how I found Stored Cross-Site Scripting (XSS) in icloud.com.
Initial Discovery & Exploitation :
First of all I am not the XSS guy :D
Finally I decided to hunt on Apple. As we all know that apple is having large scope so I blindly choose icloud.com and decided to find at least 1 bug on icloud.com.
I tried many vulnerabilities on icloud.com such as CSRF, IDOR, Business Logic Bugs etc. and got nothing. I keep tried to find bugs on icloud.com and after so many attempts I decided to find XSS on icloud.com. (As I am still not good at finding XSS :D)
So here I started the initial recon to find XSS. As we all know that we can try XSS where strings are reflected on webpage or in response.
So I have logged in with icloud.com and inserted payloads everywhere and looked for the webpages where my payloads or strings over getting reflected in response. After so many attempts I got one endpoint where my payload was fired and It was my “Pursuit of Happiness”
