Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
only one backlash needed for facebook xss hole
Posted by: hc0de
Date: August 02, 2010 04:25PM

Does anybody realized it? When u search something on facebook, facebook sanitize your search query/input only with addslashes (i think).

http://www.facebook.com/search/?q=<script>alert('XSS')</script>

If you go this address source will contaion your search input like this.
...
[null,null,null,null,null,null,null,null], null, \"<script>alert('XSS')<\\\/script>\"); ;"]
...


it seems it cant exploitable for now

#{hc0d3}
~web : cbolat.blogspot.com
~twit : twitter.com/cnbrkbolat

Options: ReplyQuote
Re: only one backlash needed for facebook xss hole
Posted by: theharmonyguy
Date: September 14, 2010 02:03PM

Keep in mind that the part of the source code you're looking at is already inside of a bunch of JavaScript - in fact, it's part of a string inside of a JSON assignment. The slashes before the quote marks prevent them from terminating the string and allowing injection of new scripts. Consequently, this wouldn't qualify as an XSS hole, even though the appearances of <> unencoded may make it look that way. All of the instances of your search that are rendered as part of the DOM are properly encoded.

(I know this is an older thread, but thought it was worth clarifying.)

Options: ReplyQuote
Re: only one backlash needed for facebook xss hole
Posted by: thornmaker
Date: September 14, 2010 07:24PM

@theharmonguy huh? why wouldn't it qualify as XSS? @hc0de is correct - if the forward slash wasn't escaped, this could be turned into a valid injection, regardless of how quotes are handled : </script><script>alert(0)</script>

Options: ReplyQuote
Re: only one backlash needed for facebook xss hole
Posted by: theharmonyguy
Date: September 15, 2010 03:56PM

@thornmaker: Sorry, yes, I was focused more on the fact that the <script> tag isn't rendered as HTML... but you're right, if the three slashes weren't added, that would close off the script and you could insert HTML.

However, aren't those slashes enough? Since the forward slash is escaped, it still doesn't seem like an XSS issue...

Options: ReplyQuote
Re: only one backlash needed for facebook xss hole
Posted by: PaPPy
Date: September 16, 2010 07:46AM

the point of the original post points out that it isnt an XSS issue.

but only one backlash is needed for facebook xss hole.

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote


Sorry, only registered users may post in this forum.