Facebook Bug Bounty 2014, Reflected XSS and Filter Evasion worth 7500$
6:04 AM
This is the second part of the series on how I found an XSS in Facebook. I wrote about the first
bug here. It was a Linkshim evasion and URL redirection bug. I used “../http://site.com” in the
continue parameter for redirection, bypassing the Linkshim and I explained how there.
bug here. It was a Linkshim evasion and URL redirection bug. I used “../http://site.com” in the
continue parameter for redirection, bypassing the Linkshim and I explained how there.
After Facebook triaged my bug, promised me a 1000$ bounty and after fixing the issue, I
realized something. The bug could have been a cross-site scripting issue. How? well, I don't
know how the hell I missed this in the first place but when you give Linkshim “../http://site.com”
to sanitize, the parameter renders the following code (first bug)
realized something. The bug could have been a cross-site scripting issue. How? well, I don't
know how the hell I missed this in the first place but when you give Linkshim “../http://site.com”
to sanitize, the parameter renders the following code (first bug)
You know what that means, if I gave it:
“../data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#” it will become,
“../data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#” it will become,
<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#”>
For those of you who can’t do base64 decode in your head, that is equivalent to
“<script>alert(“XSS”);</script>” and I put the hash (#) tag behind to make sure other parameters
following it can be ignored as not a part of the Base64
“<script>alert(“XSS”);</script>” and I put the hash (#) tag behind to make sure other parameters
following it can be ignored as not a part of the Base64
Or simply by giving the parameter “../javascript:alert(0);//”, that will create a code
<a href=”javascript:alert(0);//”>Continue</a>
The above href attribute is properly sanitized and converted into entities. But since both the functions
htmlentities() and htmlspecailchars() don’t filter the above payload it was possible to execute a
reflective XSS when a user clicked the Continue button. And the final payload would look
something like
htmlentities() and htmlspecailchars() don’t filter the above payload it was possible to execute a
reflective XSS when a user clicked the Continue button. And the final payload would look
something like
https://m.facebook.com/feed_menu/?story_fbid=808015282566492&id=100000740832129&
confirm=h&continue=../javascript:alert(0);&perm&no_fw=1&_rdr
confirm=h&continue=../javascript:alert(0);&perm&no_fw=1&_rdr
Makes me wonder what I can do with it, stil da qawkies? Lmao.
So simple and yet effective. I reported this after the URL redirection has been fixed (making it
impossible to verify the XSS) but FB security was kind enough to understand the issue this
could’ve made and reconsider the first bounty to 2 type of injections in one parameter
(XSS, Open Redirection / Linkshim Evade) and raise the bounty up to 7500$.
impossible to verify the XSS) but FB security was kind enough to understand the issue this
could’ve made and reconsider the first bounty to 2 type of injections in one parameter
(XSS, Open Redirection / Linkshim Evade) and raise the bounty up to 7500$.
I would like to thank Facebook for the generous amount and for launching the white hat program.
Conclusion
Watch out for XSS on redirection.
22 comments
Great article!
ReplyDeleteThanks. :)
DeleteAwesoem article. Cheers !
ReplyDeleteThank You :)
Deletegreat blog, good post.
ReplyDeleteThanks. :D
DeleteHey Paulos......See this line "I wrote about the first bug here" and check the anchor tag. BDW Nice article dude. Keep posting stuffs like this.
ReplyDeleteThanks. fixed it. :D
DeleteYeah, I created the other tool to allow manual testers to be able to test a mainly form-based application for csrf vulnerabilities. We were trying to retrofit an application with a custom framework to be protected from CSRF attacksfacebook
ReplyDeleteAwesome, Good work !
ReplyDeleteThanks! :)
DeleteAmazing content, God Bless
Deletepaulos yobelo good work..!! I also want to participate in these type of bug bounty programmes..!!
ReplyDelete%2a2%a%2%3a%3:alert(####)
ReplyDelete
ReplyDeletebypas
ReplyDelete
ReplyDelete0
ReplyDeleteasd
ReplyDeleteNice thought :-)
ReplyDeleteI have found big bug ...what is error of 8232 ..why can't tag any photo or statuses please fix now
ReplyDeleteI have found big bug ...what is error of 8232 ..why can't tag any photo or statuses please fix now
ReplyDeleteNote: Only a member of this blog may post a comment.