Facebook XSS Story

One evening I decided to investigate the safety of Facebook. After walking the portal for a short time, my eyes caught the Graph API Explorer. This is a Facebook Graph API web application that allows you to retrieve user data from Facebook and upload it to Facebook. Of course, many operations are only available with an OAuth token. What does this app actually do?

When a user makes a request to receive or send data, the application sends a JSONP request to graph.facebook.com , while adding a callback that will draw the received data on the page. First of all, I tried to replace this callback with something of my own ( more about this method ), but without success, because the callback parameter I implemented was simply discarded. After several unsuccessful attempts to implement callback, I remembered one interesting page - "login.php" , which I came across in the process of researching Facebook. This page was found in all domains and allowed redirect to any page of any subdomain facebook.com . To begin with, I tried redirecting to the same graph.facebook.com , but with my callback parameter.

')

developers.facebook.com/tools/explorer?method=GET&path=login.php?next%3dhttps%253a//graph.facebook.com/me%253fcallback%253dalert

I saw the coveted window with the text [Object object] , which indicated that my callback was fulfilled. But I, of course, could not stop there. Now I started searching for a place on Facebook, where I could save my JavaScript code and then execute it. The first thing that occurred to me was to send a file with a message to a user, changing the Content-Type to text / javascript. After that we get a link like

www.facebook.com/ajax/messaging/attachment.php?attach_id=&mid=&hash=
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  attachment.fbsbx.com/messaging_attachment.php , . , , , GIF-, JavaScript- ( ). GIF- , . .
    

      
      
      
    

  
    

      
      
      
    

  , ... . , Facebook "content-security-policy" , JavaScript, . , , Internet Explorer . "x-content-security-policy" . IE10 :
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  ! . Facebook, , , .
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  :
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  : , Positive Research.

www.facebook.com/ajax/messaging/attachment.php?attach_id=&mid=&hash=
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  attachment.fbsbx.com/messaging_attachment.php , . , , , GIF-, JavaScript- ( ). GIF- , . .
    

      
      
      
    

  
    

      
      
      
    

  , ... . , Facebook "content-security-policy" , JavaScript, . , , Internet Explorer . "x-content-security-policy" . IE10 :
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  ! . Facebook, , , .
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  :
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  
    

      
      
      
    

  : , Positive Research.

Source: https://habr.com/ru/post/197740/

All Articles

Facebook XSS Story

More articles: