The Unseen: Facebook Bug Bounty 2014, X-XSS and Filter Evasion worth 7500$

6:04 AM


…#Continued


This is the second part of the series on how I found an XSS in Facebook. I wrote about the first bug here. It was a Linkshim evasion and URL redirection issue. I used “../http://site.com” in the continue parameter for redirection, bypassing the FB Linkshim and I explained how there.

After Facebook approved my bug, promised me a 1000$ bounty and after fixing the issue, I just read my blog entitled “bypassing htmlentities()” and remembered something I always talk about, XSS. The bug could have been a cross site scripting. How? Well when given the Linkshim “../http://site.com”, the parameter renders the following code (first bug)

<a href=”http://site.com”>Continue</a>

You know what that means, if I gave it “../data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#” it will output this,

<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#”>Continue</a>

For those of you who can’t do base64 decode in your mind :P , that is equivalent to “<script>alert(“XSS”);</script>” and I put the hash (#) tag behind to make sure other parameters following it can be ignored as not a part of the Base64

Or simply by giving the parameter “../javascript:alert(0);//”, that will create a code

<a href=”javascript:alert(0);//”>Continue</a>

The above href attribute is properly sanitized and htmlentitied. But since both the functions htmlentities() and htmlspecailchars()  don’t filter the above payload it was possible to execute a reflective XSS when a user clicked the Continue button. And the final payload would look something like
https://m.facebook.com/feed_menu/?story_fbid=808015282566492&id=100000740832129&confirm=h&continue=../javascript:alert(0);&perm&no_fw=1&_rdr

Makes me wonder what I can do with it, stil da kookies? Lmao.
So simple. But effective. I reported this issue after the URL redirection has been fixed (making impossible to generate the XSS) but the Facebook security team was kind enough to understand the issue this could’ve made and reconsider the first bounty to 3 type of injections in one parameter (XSS, Redirection, Linkshim Evade) and raise the bounty up to 7500$ which by the way is a lot of money.
I would like to thank Facebook again and again for the generous amount and for launching the white hat program.
Conclusion: watch out for XSS on redirection, it’s more probable it will occur.

You Might Also Like

19 comments

  1. great blog, good post.

    ReplyDelete
  2. Hey Paulos......See this line "I wrote about the first bug here" and check the anchor tag. BDW Nice article dude. Keep posting stuffs like this.

    ReplyDelete
  3. Yeah, I created the other tool to allow manual testers to be able to test a mainly form-based application for csrf vulnerabilities. We were trying to retrofit an application with a custom framework to be protected from CSRF attacksfacebook

    ReplyDelete
  4. paulos yobelo good work..!! I also want to participate in these type of bug bounty programmes..!!

    ReplyDelete
  5. %2a2%a%2%3a%3:alert(####)

    ReplyDelete