Facebook Bug Bounty 2014, X-XSS and Filter Evasion worth 7500$6:04 AM
After Facebook approved my bug, promised me a 1000$ bounty and after fixing the issue, I just realized something. The bug could have been a cross site scripting issue. How? well, I don't know how the hell I missed this in the first place but when you give linkshim “../http://site.com” to sanitize, the parameter renders the following code (first bug)
You know what that means, if I gave it: “../data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#” it will output this,
For those of you who can’t do base64 decode in your head , that is equivalent to “<script>alert(“XSS”);</script>” and I put the hash (#) tag behind to make sure other parameters following it can be ignored as not a part of the Base64
The above href attribute is properly sanitized and htmlentitied. But since both the functions htmlentities() and htmlspecailchars() don’t filter the above payload it was possible to execute a reflective XSS when a user clicked the Continue button. And the final payload would look something like
Makes me wonder what I can do with it, stil da kookies? Lmao.
So simple and effective. I reported this issue after the URL redirection has been fixed (making impossible to verify the XSS) but Facebook security was kind enough to understand the issue this could’ve made and reconsider the first bounty to 3 type of injections in one parameter (XSS, Redirection, Linkshim Evade) and raise the bounty up to 7500$.
I would like to thank Facebook for the generous amount and for launching the white hat program.
watch out for XSS on redirection, it’s probable it could occur.