Greetings
readers, I found a one of critical bug on investor[dot]fb[dot]com,
However the risk severity is medium and hard to exploit remotely but
still it is a security bug. Yes!! I'm talking about user-agent header
cross site scripting vulnerability on one of subdomain of fb.com. As a
information security researcher and whitehat mindset, I reported it to
Facebook so that they can fix this issue but in response I found this is
not a issue for them and finally I asked to him to make a writeup on
this bug and all seems they don't care about it.
Whatever,
let me explain this bug. As all of you know, browser always sent
user-agent with HTTP request and user can change user-agent by
intercepting the request or via some plugins but I'm fan of "Tamper
Data" - a Firefox plugin that allow user to intercept request easily.
When I was trying to find some bugs on investor.fb.com, I found a link investor.fb.com/alerts.cfm
that contains a form with some checkboxes and can use POST method.
First of all I tick on checkbox and submit the data by clicking continue
button, at same time I intercepted the request and make some changes in
value of checkbox i.e. doublequote and get this error message -
If
you look at this error message, you will notice it contains the
User-Agent. So suddenly a thing stuck on my mind and I modified
user-agent to XSS Payload. After that XSS Payload i.e. User-Agent:<img src=x onerror=prompt(document.domain);> will take place of user-agent and popup a javascript prompt.
Now
let's discuss about risk severity and vulnerability of XSS in
user-agent. This kind of bug is not easy to exploit remotely though some
advanced method allow to exploit this vulnerability otherwise this will
be self-xss. In normal cases, only client can execute this kind of bug
on their system but I think nobody, even a newbie will not going to
change user-agent for you. Then I found a very informative article on
internet that shows the fabulous way of triggering user-agent XSS. -
http://websecurity.com.ua/5195/
Disclaimer: This article is only for education and knowledge purpose only.
0 comments:
Post a Comment