October 21, 2013

A Story about XSS on Facebook

One day, browsing Facebook I discovered an interesting tool – Graph API Explorer. It's a tool designed to work with Facebook Graph API. It allows reading or posting data on Facebook, testing permissions, etc. So what can it actually do?



Make JSONP request to graph.facebook.com with some callback to include this JSON data in the page. Of course, at first I tried to include callback parameter in the request, but the result was unsuccessful. After lots of tries to inject something, I found an interesting script that exists on almost every Facebook domain. It's login.php which allows redirection to any *.facebook.com page. First, I tried to make redirection to http://graph.facebook.com/me?callback=alert, and it worked! I got alert with the [Object object] text. Great!

https://developers.facebook.com/tools/explorer?method=GET&path=login.php?next%3dhttps%253a//graph.facebook.com/me%253fcallback%253dalert 

But of course, it couldn’t stop unless I would be able to run arbitrary code. I just needed to find any place on *.facebook.com where I could store my malicious code. My first try was to send file to another user via Facebook messages. All I did was just sending an  evil.txt file with malicious code, and changing its content-type to text/javascript. After that, this file was available via the following link:

https://www.facebook.com/ajax/messaging/attachment.php?attach_id=&mid=&hash= 

The file becomes available only for the receiver of the message, but we can make a specially crafted .gif file containing Javascript code (thanks to @isciurus), send it to the victim, get the link to the malicious file and leverage that link to exploit the vulnerability. The victim will get the image, click on it, and because of "Content-Disposition" header it will be saved to the victim’s computer and will behave like a normal .gif image. So, nothing suspicious. Anyway, I bet, there are lots of places on *.facebook.com where we can store our payload.

Ok, let’s try to execute our code. A try ... resulting in a failure. There is the "content-security-policy" header, which disallows running this code. It seems like I should find another place to store my code.... But wait! Internet Explorer ignores this header because it requires "x-content-security-policy header". So, I checked it in IE 10 and it worked out great.

https://developers.facebook.com/tools/explorer?method=GET&path=login.php?next%3dhttps://www.facebook.com/ajax/messaging/attachment.php%253fattach_id%253d%2526mid%253d%2526hash%253d



I conducted XSS, got a reward, lots of fun and, in addition, made a cool screenshot ;)



Here is the video of the exploitation:



Author: Pavel Toporkov, Positive Research.

11 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete