Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- This exploit revolves around TWO bugs in Facebook. By using this, it is possible to get XSS on the Facebook domain.
- The first vulnerability (and an odd one at that) was an arbitrary postMessage request on the Facebook domain. Why is this bad?
- postMessage is a function that allows for websites to communicate cross-domain. However, there is recommended security precaution to take: validate the domain of the request. This ensures that malicious websites cannot alter the state of other sites.
- Because of this assumed security protection (being from the correct domain), finding an arbitrary postMessage from Facebook does not bare fruit by itself but could be part of a chain.
- From this bug, the author found a DOM based XSS on multiple sites. However, the author only shows a single one. The interesting thing to note was that the event listener was accepting a link and add it to a form. However, it did not validate the type of link being used! So, JS URI could be used.
- The attack works in the following way:
- Visit the malicious website.
- Load https://www.facebook.com/platform/page_proxy.
- Load the page with the arbitrary postMessage in another tab. Use this bug to send a request to the first URL.
- Now, we have XSS on Facebook! The author mentions that the POC they sent in would steal a first party access token.
- Awesome bug. The researcher got paid 25K from Facebook! For future reference, this website has a BUNCH of great articles and research.
