– View HTML page of any website (not internal facebook pages);
– GET requests;
WHAT YOU CAN’T DO:
– Manage cookies;
– POST requests;
– You must be logged in;
– 14/12/2011: First contact
– 15/12/2011: No evidence to be a security flaw
– 15/12/2011: Pratical usage examples
– 23/12/2011: No response, published (GMT +1).
– 23/12/2011 (1h after publishing): “We do not consider this a security flaw. Thanks for taking the time to look into this and please send us any additional concerns you encounter in the future.”
Having a facebook account is not so bad if you can have a free and fast proxy!
The affected page is:
“q” parameter must be a valid unescaped URL. Output page will show you the HTML code of the URL and guess what? Request will be made by facebook server, without report your original IP. Also “x-forwarded-for” is not used (thanks to white_sheep for this check)
::ffff:18.104.22.168 – – [14/Dec/2011:00:46:01 +0100] “GET / HTTP/1.1” 200 10222 “-” “facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)” “4.40” “-” “-“
A potential attacker can use this kind of attack for:
- Sql Injection attack (GET requests only)
- Directory and File crawling
This is a sample video:
I also made a little PoC in bash that crawl a site, using a specified wordlist. Keep in mind that is not possible to intercept the original response status of the webserver (403, 500, etc), but only if the page/folder exist or not.
The only cookies you need, to make requests on facebook, are: datr, c_user and xs
Source code of crawler: http://iht.li/p/ZkWW