Thursday, January 3, 2013

Another Stored XSS in

Another Stored XSS in, Another 3500$ Bounty


I want to share my Stored XSS finding in,

First of all, I must mention discovering Stored XSS issues in is quite rare these days , 
For a start I would like to present some steps that I have made to make this Stored XSS Work,
Currently, If you want to open a page ( with a malicious Page Name (Javascript Payload), You get blocked by automated system:

 (I'm "sure" there might be a bypass, I didn't spend time to test it yet). 

1. I was able to use another feature in order to bypass the protection and therefor change the page title name by using Facebook Api for Updating Page Attributes (, (The Pages API is just a Hint :)),
In this case, I changed my Page Title name to "malicious" javascript payload (<img src="xx.jpg"onerror=alert(6)>),

2. In Facebook Pages, You can Add Application to your Page by using  Adding To A Page Box:

When you add a tab to your page, Facebook will display which pages you own/manage by the title of each page,

As a result of that situation I was able to execute a Stored XSS, (Facebook didn't filter the Page Title Name),

Now it seems to be only a Self Stored XSS, although In Facebook Pages You can use the Admin Roles Settings to add admins to your Page.
  In this situation, I added the victim to be the administrator of my "malicious page", The victim didn't need to accept this admin request, it will be added automatically to my Page, So now I was able to exploit this XSS By sending a Single link to the Victim

PoC Image:

PoC Video



Prakhar Prasad said...

And Another classic bug by Nir :)

Great Job !

Post a Comment