Monday, May 23, 2011

Facebook Vulnerable to HTML Injection

Well lemme go straight to the point.

Facebook IS again vulnerable, this time to a HTML Injection vulnerability.

The exploit actually allows a malicious user to insert malicious HTML-based content within client web requests.

Let's take a look at the P.O.C. below



I actually have this in the url

http://www.facebook.com/connect/connect_to_node_error.php?title=I%20am%20Slyr0x%20and%20i%20have%20evil%20intent%20NOT.

Lets take a look at the body



https://www.facebook.com/connect/connect_to_node_error.php?body=My%20nam3%20is%20Slyr0x..and%20i%20have%20evil%20intent.%20NOT.

Now, lets see a combination of the Title & Body using the famous Peter Attah Nigerian Scam Letter



The malicious user's imagination is his/her only limit!

No comments:

Post a Comment