bugbounty

Facebook Bug Bounty 2014, Reflected XSS and Filter Evasion worth 7500$

6:04 AM


This is the second part of the series on how I found an XSS in Facebook. I wrote about the first
bug here. It was a Linkshim evasion and URL redirection bug. I used “../http://site.com” in the
continue parameter for redirection, bypassing the Linkshim and I explained how there.

After Facebook triaged my bug, promised me a 1000$ bounty and after fixing the issue, I
realized something. The bug could have been a cross-site scripting issue. How? well, I don't
know how the hell I missed this in the first place but when you give Linkshim “../http://site.com
to sanitize, the parameter renders the following code (first bug)

<a href=”http://site.com”>Continue</a>

You know what that means, if I gave it:

../data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#” it will become,

<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K#”>

For those of you who can’t do base64 decode in your head, that is equivalent to
<script>alert(“XSS”);</script>” and I put the hash (#) tag behind to make sure other parameters
following it can be ignored as not a part of the Base64

Or simply by giving the parameter “../javascript:alert(0);//”, that will create a code

<a href=”javascript:alert(0);//”>Continue</a>

The above href attribute is properly sanitized and converted into entities. But since both the functions
htmlentities() and htmlspecailchars()  don’t filter the above payload it was possible to execute a
reflective XSS when a user clicked the Continue button. And the final payload would look
something like

https://m.facebook.com/feed_menu/?story_fbid=808015282566492&id=100000740832129&
confirm=h&continue=../javascript:alert(0);&perm&no_fw=1&_rdr

Makes me wonder what I can do with it, stil da qawkies? Lmao.

So simple and yet effective. I reported this after the URL redirection has been fixed (making it
impossible to verify the XSS) but FB security was kind enough to understand the issue this
could’ve made and reconsider the first bounty to 2 type of injections in one parameter
(XSS, Open Redirection / Linkshim Evade) and raise the bounty up to 7500$.


I would like to thank Facebook for the generous amount and for launching the white hat program.

Conclusion

Watch out for XSS on redirection.




bugbounty

Facebook Bug Bounty 2014: Linkshim Evasion and URL Redirection

11:22 AM

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

An unaware user is most probably tricked by attackers to a malware site or a phishing site and gets infected by various types of attacks like leading to complete system compromise. This is caused because of improperly sanitized user redirect script or similar cases. Such attacks can be classified into many ways and some found on huge social media sites like Facebook.

Recently I was browsing through Facebook mobile (m.facebook.com) and I found a notification that a friend tagged me into a post… well the post wasn’t that interesting so I decided to hide it. When clicking on hide I notice the URL parameter contained a parameter called ‘continue’ followed by stories.php



https://m.facebook.com/feed_menu/?story_fbid=808015282566492&id=100000740832129&confirm=h&continue=stories.php&perm&no_fw=1&_rdr

so I figured that can lead to a URL redirection if I changed the continue parameter to something like http://evilzone.org but the Linkshim was rechecking and returning it back to m.facebook.com/http://evilzone.org so the redirection wasn’t successful but then I noticed that parameter can be tricked using path transversal tricks like ../

So when I gave the url parameter something like &continue=../http://evilzone.org I was able to bypass the Linkshim and get a successful redirection to Evilzone.org (which by the way is a blocked link by Facebook)
So the full parameter for redirection including the Linkshim evasion was

https://m.facebook.com/feed_menu/?story_fbid=808015282566492&id=100000740832129&confirm=h&continue=../http://evilzone.org&perm&no_fw=1&_rdr

And none of the other parameters needs to be accurate; the story_fbid and id parameters can be any number so we don’t need victim’s special parameters to execute redirection.


Now the issue have been fixed and Facebook has promised to reward me with 1000$USD for this bug. I would like to thank the Facebook Security Team so much for their cool support and generous amount.