New Vulnerability Javascript Injection on Facebook - BestCyberNews: Online News Presenter in the present world

BestCyberNews: Online News Presenter in the present world

Start knowing

test banner

Breaking

New Vulnerability Javascript Injection on Facebook

Indian security researcher Mr. Manjesh found the new vulnerability on Facebook, the vulnerability at Facebook badges and was a SELF stored injection also it was limited to only 10 characters.

They didn't found any XSS java-script which is within 10 characters and this was the main problem I was having. 

When he send a request with just text : Manjesh, he was getting the output as : <div class="badge_holder bh_Manjesh">. This is it!! I was able to inject something on a DIV tag.

Below is the Proof of Screenshots:







Researcher reported this as an XSS/self stored HTML injection and they are rejected, there is no scope for HTML injection and as I didnt had any proof to show XSS is possible.


Finally he didnt found any xss stuffs within 10 chars but came up with a logical Idea. But able to execute <noscript> then I could hide all the badges created, but <noscript> didnt worked instead "><script> worked

This Vulnerability got accepted by Facebook and it was fixed very quickly.




Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter

No comments:

Post a Comment