Pages

Monday, October 21, 2013

A Story about XSS on Facebook

One day, browsing Facebook I discovered an interesting tool – Graph API Explorer. It's a tool designed to work with Facebook Graph API. It allows reading or posting data on Facebook, testing permissions, etc. So what can it actually do?



Make JSONP request to graph.facebook.com with some callback to include this JSON data in the page. Of course, at first I tried to include callback parameter in the request, but the result was unsuccessful. After lots of tries to inject something, I found an interesting script that exists on almost every Facebook domain. It's login.php which allows redirection to any *.facebook.com page. First, I tried to make redirection to http://graph.facebook.com/me?callback=alert, and it worked! I got alert with the [Object object] text. Great!

https://developers.facebook.com/tools/explorer?method=GET&path=login.php?next%3dhttps%253a//graph.facebook.com/me%253fcallback%253dalert 

But of course, it couldn’t stop unless I would be able to run arbitrary code. I just needed to find any place on *.facebook.com where I could store my malicious code. My first try was to send file to another user via Facebook messages. All I did was just sending an  evil.txt file with malicious code, and changing its content-type to text/javascript. After that, this file was available via the following link:

https://www.facebook.com/ajax/messaging/attachment.php?attach_id=&mid=&hash= 

The file becomes available only for the receiver of the message, but we can make a specially crafted .gif file containing Javascript code (thanks to @isciurus), send it to the victim, get the link to the malicious file and leverage that link to exploit the vulnerability. The victim will get the image, click on it, and because of "Content-Disposition" header it will be saved to the victim’s computer and will behave like a normal .gif image. So, nothing suspicious. Anyway, I bet, there are lots of places on *.facebook.com where we can store our payload.

Ok, let’s try to execute our code. A try ... resulting in a failure. There is the "content-security-policy" header, which disallows running this code. It seems like I should find another place to store my code.... But wait! Internet Explorer ignores this header because it requires "x-content-security-policy header". So, I checked it in IE 10 and it worked out great.

https://developers.facebook.com/tools/explorer?method=GET&path=login.php?next%3dhttps://www.facebook.com/ajax/messaging/attachment.php%253fattach_id%253d%2526mid%253d%2526hash%253d



I conducted XSS, got a reward, lots of fun and, in addition, made a cool screenshot ;)



Here is the video of the exploitation:



Author: Pavel Toporkov, Positive Research.

11 comments:

  1. Thanks for splitting your comprehension with us. It’s really useful to me & I hope it helps the people who in need of this vital information.
    Regards,
    Informatica training in chennai|Best Informatica Training In Chennai

    ReplyDelete
  2. Thanks for sharing this useful post; Actually Salesforce crm cloud application provides special cloud computing tools for your client management problems. It’s a fresh technology in IT industries for the business management.
    Regards,
    Salesforce training in Chennai|Salesforce training institute in Chennai

    ReplyDelete
  3. Thanks for sharing this niche useful informative post to our knowledge, Actually SAP is ERP software that can be used in many companies for their day to day business activities it has great scope in future.
    Regards,
    sap training in Chennai|SAP Institutes in Chennai|SAP course in chennai

    ReplyDelete
  4. Cloud is one of the tremendous technology that any company in this world would rely on(Salesforce Certification). Using this technology many tough tasks can be accomplished easily in no time. Your content are also explaining the same(Salesforce crm training in chennai). Thanks for sharing this in here. You are running a great blog, keep up this good work(hadoop training).

    ReplyDelete
  5. Thanks for sharing your innovative ideas to our vision. I have read your blog and I gathered some new information through your blog. Your blog is really very informative and unique. Keep posting like this. Awaiting for your further update.
    Thanks & Regards
    Big Data Training in Chennai | Big Data Training in Chennai

    ReplyDelete


  6. A Self-XSS scam usually works by promising to help you hack somebody else's account. Instead of giving you access to someone else’s account, the scammer tricks you into running malicious code that gives them the ability to use your account for fraud, spam and tricking more people into the scam.
    hadoop training in chennai |
    informatica training in chennai

    ReplyDelete
  7. Thank you for this type of posts you had done here. And i really much impressed with lot of information through this article.

    SAP Training in Chennai

    ReplyDelete
  8. In this blog is full of represented in positive research center.It is very useful.we provide the abap training in our institute.it offering wide range of benefits such as certifications,rewards and excellent jobs in your field.it is used to improve your knowledge.

    ReplyDelete
  9. Useful information.I am actual blessed to read this article.thanks for giving us this advantageous information.I acknowledge this post.and I would like bookmark this post.Thanks
    geometry dash pc|agar.io sniper games happy wheels five nights at freddy's 3 play happy wheels

    ReplyDelete
  10. The Lastpass “Password manager” blog is found vulnerable to DoM XSS due to prettyphoto not being updated in the theme.Thanks a lot.

    aws training in chennai | hadoop training in chennai | informatica training in chennai

    ReplyDelete
  11. I like this story. Xss on facebook a good story. gmail sign up

    ReplyDelete