Another Stored XSS in Facebook.com, Another 3500$ Bounty
Hi,
I want to share my Stored XSS finding in facebook.com,
First of all, I must mention discovering Stored XSS issues in facebook.com is quite rare these days ,
For a start I would like to present some steps that I have made to make this Stored XSS Work,
Currently, If you want to open a page (facebook.com/pages/create.php
For a start I would like to present some steps that I have made to make this Stored XSS Work,
Currently, If you want to open a page (facebook.com/pages/create.php
(I'm "sure" there might be a bypass, I didn't spend time to test it yet).
1. I was able to use another feature in order to bypass the protection and therefor change the page title name by using Facebook Api for Updating Page Attributes (https://developers.facebook.
1. I was able to use another feature in order to bypass the protection and therefor change the page title name by using Facebook Api for Updating Page Attributes (https://developers.facebook.
In this case, I changed my Page Title name to "malicious" javascript payload (<img src="xx.jpg"onerror=alert(6)>)
2. In Facebook Pages, You can Add Application to your Page by using Adding To A Page Box:
When you add a tab to your page, Facebook will display which pages you own/manage by the title of each page,
As a result of that situation I was able to execute a Stored XSS, (Facebook didn't filter the Page Title Name),
Now it seems to be only a Self Stored XSS, although In Facebook Pages You can use the Admin Roles Settings to add admins to your Page.
In this situation, I added the victim to be the administrator of my "malicious page", The victim didn't need to accept this admin request, it will be added automatically to my Page, So now I was able to exploit this XSS By sending a Single link to the Victimhttps://www.facebook.com/add.
PoC Image:
PoC Video
Regards,
Nir
1 comments:
And Another classic bug by Nir :)
Great Job !
Post a Comment