Today, I’m going to share a few of my favorite Stored XSS Findings in Facebook (Facebook Chat, Facebook Check In, Facebook Messenger. These findings are almost always interesting if you happen to find them in the right location.
For instance, what would occur if the Malicious Stored XSS Payload ran on the victim every time they checked in? You could also inject the Payload into the Facebook Chat Screen, which could be really interesting.
There are essentially two different ways to exploit Stored XSS issues
1.
Let the victim visit our stored XSS Payload (Facebook Check-In, Facebook Messenger, Facebook Chat) on their own.
2.
Exploit it with the URL plus the Stored XSS data.
I wanted to locate an interesting spot within Facebook that would run the data on the victim each time they visited one of my places. I could also just run it through Facebook Chat.
This post will talk a lot about Stored XSS in regard to Facebook Chat, Check-In, Facebook Messenger (Windows Version).
The vulnerabilities mentioned here has been confirmed patched by the Facebook Security Team
Bug 1,
Stored XSS In Facebook Chat
When a user starts a new message within Facebook that has a link inside, a preview GUI shows up for that post. The GUI is used for presenting the link post. For this action, Facebook added extra parameters for the “post message” request.
I found an interesting parameter that looked like this:
attachment[params][title],attachment[params][urlInfo][final]
I noticed that Facebook does not verify whether or not the attachment[params][urlinfo[final] parameter is a legitimate link (http, https). So, it’s relatively easy for an attacker to alter those parameters to make them a malicious request.
For instance:
attachment[params][title]=PoC Click Me&attachment[params][urlInfo][final]=javascript:alert(6)
Facebook will later take those parameters and insert them into a “href” tag.
<a href=”javascript:alert(6)”>PoC Click Me</a>
Each time the victim clicks on this malicious message in Facebook Chat, the Stored XSS will begin to run on their client.
0 comments:
Post a Comment