Make JSONP request to graph.facebook.com with some callback to include this JSON data in the page. Of course, at first I tried to include callback parameter in the request, but the result was unsuccessful. After lots of tries to inject something, I found an interesting script that exists on almost every Facebook domain. It\’s login.php which allows redirection to any *.facebook.com page. First, I tried to make redirection to http://graph.facebook.com/me?callback=alert, and it worked! I got alert with the [Object object] text. Great!
Ok, let’s try to execute our code. A try … resulting in a failure. There is the \”content-security-policy\” header, which disallows running this code. It seems like I should find another place to store my code…. But wait! Internet Explorer ignores this header because it requires \”x-content-security-policy header\”. So, I checked it in IE 10 and it worked out great.
I conducted XSS, got a reward, lots of fun and, in addition, made a cool screenshot 😉
Here is the video of the exploitation:
Author: Pavel Toporkov, Positive Research.