[#] Title: Javascript injection on Facebook
[#] Status: Fixed
[#] Severity: Medium
[#] Author: Manjesh S
[#] Twitter: @Manjesh24Description:
The bug was at Facebook badges and was a SELF stored injection also it was limited to only 10 characters.
I didnt found any XSS javascript which is within 10 characters and this was the main problem I was having.
When I send a request with just text : Manjesh
I was getting the output as : <div class="badge_holder bh_Manjesh">
This is it!! I was able to inject something on a DIV tag..
So lets checkout how I did it!!
Steps to Reproduce:
Go to https://www.facebook.com/
badges/profile.php?creating Click save and modify the POST request-
For example: "><b>M</b>
the parameter "layout" is not filtering anything, so put the small javascript payload or any HTML payloadAfter submitting it , the script will be executed on the browser ;)
Even though I was not able to do XSS, I reported this as an XSS/self stored HTML injection and this was the reply from facebook:
So it was partially rejected , there is no scope for HTML injection and as I didnt had any proof to show XSS is possible..
So what can be done with just 10 chars injection ?? No XSS possible??
Finally I didnt found any xss stuffs within 10 chars but came up with a logical Idea :D
If I am able to execute <noscript> then I could hide all the badges created, but <noscript> didnt worked instead "><script> worked!!
So here is my logical report:
So lets assume USER-A account is hacked by USER-B
USER-B goes to https://www.facebook.com/
and checks email,mobile no etc..
and gets the link,
the link would be like :
https://www.facebook.com/
USER-B will be able to get the email,mobile no. etc.. with this link remotely.
So USER-A will recover this account with forgot password and USER-A
will change all his email,mobile no etc..
Now USER-B can get his changed email,mobile no with the link
https://www.facebook.com/
Yes this link will wont work if badge is deleted, but if we create a
badge by sending POST request as said with this payload :
"><script>
will make it invisible to the USER-A, he will never get to know that
badge is leaking all his private data..
also USER-A wont be able to delete the badge as he wont be able to
know that there is a badge hidden even when he goes to https://www.facebook.com/
This bug got accepted by facebook and it was fixed very quickly :D