apple.com, Resolved, XSS, Cross Site Scripting, Javascript Injection, Shortcut, Bookmark

RXSS in www.apple.com in q request parameter reported to Apple Product Security on Friday, December 2, 2011 and noted resolved via URL http://support.apple.com/kb/ht1318 on February 10, 2012.

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.apple.com
Path:	/global/nav/scripts/shortcuts.php

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload95888\"%3balert(1)//7de0b7380f0 was submitted in the q parameter. This input was echoed as 95888\\";alert(1)//7de0b7380f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.