graph.facebook.com
, while adding a callback that will draw the received data on the page. First of all, I tried to replace this callback with something of my own ( more about this method ), but without success, because the callback parameter I implemented was simply discarded. After several unsuccessful attempts to implement callback, I remembered one interesting page - "login.php"
, which I came across in the process of researching Facebook. This page was found in all domains and allowed redirect to any page of any subdomain facebook.com
. To begin with, I tried redirecting to the same graph.facebook.com
, but with my callback parameter.
developers.facebook.com/tools/explorer?method=GET&path=login.php?next%3dhttps%253a//graph.facebook.com/me%253fcallback%253dalert
[Object object]
, which indicated that my callback was fulfilled. But I, of course, could not stop there. Now I started searching for a place on Facebook, where I could save my JavaScript code and then execute it. The first thing that occurred to me was to send a file with a message to a user, changing the Content-Type to text / javascript. After that we get a link like
www.facebook.com/ajax/messaging/attachment.php?attach_id=&mid=&hash=
attachment.fbsbx.com/messaging_attachment.php
, . , , , GIF-, JavaScript- ( ). GIF- , . .
, ... . , Facebook "content-security-policy"
, JavaScript, . , , Internet Explorer . "x-content-security-policy"
. IE10 :
! . Facebook, , , .
:
: , Positive Research.
www.facebook.com/ajax/messaging/attachment.php?attach_id=&mid=&hash=
attachment.fbsbx.com/messaging_attachment.php
, . , , , GIF-, JavaScript- ( ). GIF- , . .
, ... . , Facebook "content-security-policy"
, JavaScript, . , , Internet Explorer . "x-content-security-policy"
. IE10 :
! . Facebook, , , .
:
: , Positive Research.
Source: https://habr.com/ru/post/197740/