Syntax Highlighting

четверг, 10 октября 2013 г.

A story about XSS on Facebook

I found one interesting tool on facebook - Graph API Explorer. It's a tool to work with Facebook Graph API. You can read or post data to Facebook using this tool, test permissions and so on. What it actually does:
Make JSONP request to with some callback to include this JSON data to page. Of course, at first i tried to include callback parameter to request, but unsuccessefully. After lots of trying to inject something i found interesting script that exists on every (or almost every) facebook domain. It's the login.php which allows us to redirect on any * page. At first i tried to make redirect on and it worked! I got alert with [Object object] text. Great!
But of course it's not enough for me, until i can run every code. Now i just need to find any place on * where i can store my evil code. My first try was to send file to another user via facebook messages. All i did - just sent evil.txt file with malicious code and changed its content-type to text/javascript. After that this file will be available at<ID>&mid=<MID>&hash=<HASH>
This file available only for receiver of the message, but we can make correct GIF which contains Javascript code (thanks to @isciurus, send it to victim, get a link to malicious file, and use it for exploit. Victim will get our image, click on it, and because of "Content-Disposition" header it will be saved on his computer, and will behave like a normal GIF image. So, nothing suspicious. Anymore i bet there is lots of places where we can store our payload on * Ok, lets try to execute our code. Trying... And failed. There is "content-security-policy" header, which disallows us to run this code. Seems like i should find another place to store my code... But wait! Internet Explorer ignores this header because it requires "x-content-security-policy header". So, checked it in IE10 and it worked great.<ID>%2526mid%253d<MID>%2526hash%253d<HASH>
I got XSS, reward, lots of fun and of course made cool screenshot ;) Video of exploitation:

2 комментария: