4:35 PMFound Operating System Based XSS on Facebook.com
Hello friends i am back again, but this time with something big, today we will talk about a web vulnerability known as Cross Site Scripting aka XSS.
Cross Site Scripting:
XSS, as we know, helps hacker to inject client-side malicious script into a website’s pages and can lead to many serious problems like reputation attack, like adult alerts, transferring to some inappropriate website. XSS vulnerability may be used by hackers to bypass access controls such as the similar source procedure. SO in short its F*CKI*G dangerous :P.
Cross-site scripting vulnerabilities can grant malicious guests control over sites we are surrounded with in this virtual cyber world, and web applications in behavior that we may eventually not be able to manage properly or control.
The problem is, via XSS, malicious attackers can insert their own malicious code into websites, web applications, available themes and plugins even in an effort to achieve and have power over of some feature – or all aspects – of the website vulnerable to Cross Site Scripting.
Coming to the point that is Facebook vulnerability
From last two years facebook is being pawned so many times by various secruity researchers. and yes facebook is giving handsome bug bounty to them as motivation.
Few days back i installed Windows 8 pro to check its features and starts using it for web security vulnerability scanning, the thing which bombed me was getting XSS on those domains which are already patched by the organisations. First i tried XSS payload <script>prompt(1)</script> on paypal default search box as Bingo it pops up.
I tried doing the same version of Mozilla i.e Version: 22.0 on Windows 7 but there was nothing. Then i opened Facebook and filled a alert encoded payload and again Reflected XSS was found. Here is the below Proof of Concept Screen shot.Here you can see the new kind of reflected Cross SIte Scripting that is operating system based. Before this we all know that is cross site scripting can be parameter based and can be browser based. But with this new attack we can say XSS can also vary from operating system to operating system.
Final Words: After finding this vulnerability its successfully reported to facebook now waiting for the acceptance of the POC. You can also test your respective website by changing the operating system and deploying the same xss payload.Soon will upload the POC video for better understanding of yours as Facebook now reviewing the vulnerability.
You can connect to me with following links:
Twitter www.twitter.com/rahultyagihacks Mail:officialrahultyagi[at]gmail.com
Get India's Most Awaited Book on Ethical Hacking. A Fast Track to Ethical Hacking Now with Two DVD Set of full distance course of Information Security and Ethical Hacking in Just RS 1499 for Indian citizens & $80(including shipping charges) for people outside India . Click Here to order your toolkit and learn information security fast track course - sitting at home.