Tuesday, 5 May 2015

Unpatched Facebook User-Agent Cross Site Scirpting Vulnerability [Web]

Facebook Investor User Agent XSS

Greetings readers, I found a one of critical bug on investor[dot]fb[dot]com, However the risk severity is medium and hard to exploit remotely but still it is a security bug. Yes!! I'm talking about user-agent header cross site scripting vulnerability on one of subdomain of fb.com. As a information security researcher and whitehat mindset, I reported it to Facebook so that they can fix this issue but in response I found this is not a issue for them and finally I asked to him to make a writeup on this bug and all seems they don't care about it.
Whatever, let me explain this bug. As all of you know, browser always sent user-agent with HTTP request and user can change user-agent by intercepting the request or via some plugins but I'm fan of "Tamper Data" - a Firefox plugin that allow user to intercept request easily.
When I was trying to find some bugs on investor.fb.com, I found a link investor.fb.com/alerts.cfm that contains a form with some checkboxes and can use POST method. First of all I tick on checkbox and submit the data by clicking continue button, at same time I intercepted the request and make some changes in value of checkbox i.e. doublequote and get this error message -

FB Investor User-Agent XSS
If you look at this error message, you will notice it contains the User-Agent. So suddenly a thing stuck on my mind and I modified user-agent to XSS Payload. After that XSS Payload i.e. User-Agent:<img src=x onerror=prompt(document.domain);> will take place of user-agent and popup a javascript prompt. 

FB Investor User-Agent XSS

Now let's discuss about risk severity and vulnerability of XSS in user-agent. This kind of bug is not easy to exploit remotely though some advanced method allow to exploit this vulnerability otherwise this will be self-xss. In normal cases, only client can execute this kind of bug on their system but I think nobody, even a newbie will not going to change user-agent for you. Then I found a very informative article on internet that shows the fabulous way of triggering user-agent XSS. - http://websecurity.com.ua/5195/

Status: Reported [Unpatched]
Disclaimer: This article is only for education and knowledge purpose only.


Post a Comment