Today i am going to show you how i find redirect vulnerability in Facebook with Proof Of Concept (POC) which is not fix at yet. I have already submitted a bug to Facebook team few days back and did not get a proper reply in time, so I am going to define the vulnerability with a better explanation.
First i successfully redirect the valid link like Google.com.
Method:
This link gives security warning. Now i bypassed this warning by used below links
Bypass link:
Above link will easily redirect to Google.com without any warning.
How i found "h" parameters you can easily seen in below image as red mark..
How i found "h" parameters you can easily seen in below image as red mark..
You can easily find "h" parameter just do mouse over on any link. And "h" parameter is always change by refreshing on same page.
But i was thought Facebook might not be accepted my vulnerability then i decided to redirect the malicious link and i got succeeded for the same.
But i was thought Facebook might not be accepted my vulnerability then i decided to redirect the malicious link and i got succeeded for the same.
In below cases i used malicious link and getting successfully to redirect.
Case 1: Facebook used to give warning for the URL's while redirecting them to a malicious site i.e.
Phishing site. https://www.facebook.com/l.php?u=http://haxor.nazuka.net/fb/ (See in image)
Phishing site. https://www.facebook.com/l.php?u=http://haxor.nazuka.net/fb/ (See in image)
Case 2: Now to bypass this validation,
I just added some URL parameters that allow an attacker to redirect the users to any malicious link. Watch below links which is redirected without giving any warning.
I just added some URL parameters that allow an attacker to redirect the users to any malicious link. Watch below links which is redirected without giving any warning.
http://www.facebook.com/l.php?u=http://haxor.nazuka.net/fb/&h=nAQEUEruN&s=1
www.facebook.com/l.php?u=http://haxor.nazuka.net/fb/&h=lAQFynAJt&s=1
[Note] you can replace your redirect URL from "u=[YOUR URL]"
then it will redirect to your URL without giving any security warning.
If you will click the Second URL, Facebook validations will not be able to identify the risk and victims can be easily redirected to the sites with exploit kit or phishing pages.
Where the parameter 'h' having some specified values, which are already defined by FB to give direct redirection to reputed links or other links in 'About profile' content.
Where the parameter 'h' having some specified values, which are already defined by FB to give direct redirection to reputed links or other links in 'About profile' content.
I replied to FB if you can re-investigate the issue for me and will be happy to know that - How this is not a valid bug ? But i got agaim same answer from the Facebook.
I have previously discovered 100's of such vulnerabilities in different websites and know about the threat. As far I know that, Open redirect is also part of your Bug Bounty Program of Facebook and I have successfully found a way to redirect malicious URL from Facebook as without any warning..
I have previously discovered 100's of such vulnerabilities in different websites and know about the threat. As far I know that, Open redirect is also part of your Bug Bounty Program of Facebook and I have successfully found a way to redirect malicious URL from Facebook as without any warning..
But at the end Facebook has refused my vulnerability and said it was not BUG..
# Founded By Priyanshu Sahay
# Found Date: 20 Nov 2013
# Contact:
# Found Date: 20 Nov 2013
# Contact:
Facebook: https://www.facebook.com/PriyanshuSahay.Officialpage
Twitter: @priyanshu_itech
LinkedIn: http://www.linkedin.com/in/priyanshusahay
Twitter: @priyanshu_itech
LinkedIn: http://www.linkedin.com/in/priyanshusahay