Syntax Highlighting

четверг, 10 октября 2013 г.

A story about XSS on Facebook

I found one interesting tool on facebook - Graph API Explorer. It's a tool to work with Facebook Graph API. You can read or post data to Facebook using this tool, test permissions and so on. What it actually does:
Make JSONP request to graph.facebook.com with some callback to include this JSON data to page. Of course, at first i tried to include callback parameter to request, but unsuccessefully. After lots of trying to inject something i found interesting script that exists on every (or almost every) facebook domain. It's the login.php which allows us to redirect on any *.facebook.com page. At first i tried to make redirect on http://graph.facebook.com/me?callback=alert and it worked! I got alert with [Object object] text. Great!
https://developers.facebook.com/tools/explorer?method=GET&path=login.php?next%3dhttps%253a//graph.facebook.com/me%253fcallback%253dalert
But of course it's not enough for me, until i can run every code. Now i just need to find any place on *.facebook.com where i can store my evil code. My first try was to send file to another user via facebook messages. All i did - just sent evil.txt file with malicious code and changed its content-type to text/javascript. After that this file will be available at
https://www.facebook.com/ajax/messaging/attachment.php?attach_id=<ID>&mid=<MID>&hash=<HASH>
This file available only for receiver of the message, but we can make correct GIF which contains Javascript code (thanks to @isciurus http://isciurus.blogspot.ru/2013/04/a-story-of-9500-bug-in-facebook-oauth-20.html), send it to victim, get a link to malicious file, and use it for exploit. Victim will get our image, click on it, and because of "Content-Disposition" header it will be saved on his computer, and will behave like a normal GIF image. So, nothing suspicious. Anymore i bet there is lots of places where we can store our payload on *.facebook.com. Ok, lets try to execute our code. Trying... And failed. There is "content-security-policy" header, which disallows us to run this code. Seems like i should find another place to store my code... But wait! Internet Explorer ignores this header because it requires "x-content-security-policy header". So, checked it in IE10 and it worked great.
https://developers.facebook.com/tools/explorer?method=GET&path=login.php?next%3dhttps://www.facebook.com/ajax/messaging/attachment.php%253fattach_id%253d<ID>%2526mid%253d<MID>%2526hash%253d<HASH>
I got XSS, reward, lots of fun and of course made cool screenshot ;) Video of exploitation:


2 комментария: