Categories
Hacking News Top

Using Facebook as a proxy


WHAT YOU CAN DO:

– View HTML page of any website (not internal facebook pages);
– GET requests;

WHAT YOU CAN’T DO:

– Manage cookies;
– POST requests;

RESTRICTIONS:

– You must be logged in;

 

HISTORY:

– 14/12/2011: First contact
– 15/12/2011: No evidence to be a security flaw
– 15/12/2011: Pratical usage examples
– 23/12/2011: No response, published (GMT +1).
– 23/12/2011 (1h after publishing): “We do not consider this a security flaw. Thanks for taking the time to look into this and please send us any additional concerns you encounter in the future.”

Having a facebook account is not so bad if you can have a free and fast proxy!
The affected page is:

developers.facebook.com/tools/debug/og/echo?q=

“q” parameter must be a valid unescaped URL. Output page will show you the HTML code of the URL and guess what? Request will be made by facebook server, without report your original IP. Also “x-forwarded-for” is not used (thanks to white_sheep for this check)

::ffff:69.171.229.245 – – [14/Dec/2011:00:46:01 +0100] “GET / HTTP/1.1” 200 10222 “-” “facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)” “4.40” “-” “-“

A potential attacker can use this kind of attack for:

  • Sql Injection attack (GET requests only)
  • Directory and File crawling
  • etc

This is a sample video:

I also made a little PoC in bash that crawl a site, using a specified wordlist. Keep in mind that is not possible to intercept the original response status of the webserver (403, 500, etc), but only if the page/folder exist or not.
The only cookies you need, to make requests on facebook, are: datr, c_user and xs
Source code of crawler: http://iht.li/p/ZkWW

11 replies on “Using Facebook as a proxy”

Sure, you must set your facebook cookies.
You should edit the source code of applications like sqlmap to use this kind of “proxy forward”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.