29 March 2013

Category: Hacks
29 March 2013,


I wanted to share my finding in regard to Stored XSS in Facebook.com.

First, I need to state that finding any Stored XSS problems in facebook.com is considerably rare.

Thus, I wanted to share what I have learned in my research on the topic. To start, I’d like to present a few steps I employed to make this Stored XSS process work. At the current time, opening a page (facebook.com/pages/create.php) with a malicious Page name (JavaScript Payload) will result in an automated block. (I’m “positive” that there could be a bypass, but I have yet to spend the time testing it).

1. I found another way to bypass the protection and, thus, alter the page title name via the Facebook Api for Updating Page Attributes (https://developers.facebook.com/docs/reference/api/page/#page_access_tokens).

In this event, I changed the name of the Page Title to “malicious” JavaScript Payload

2. In Facebook Pages, it’s possible add an application to your page by using the “Adding to a Page” box:


When a tab is added to your page, Facebook displays the pages you own or manage by their title. Because of that situation, I was able to execute a Stored XSS (Facebook did not filter the Page Title Name).

It appears only to be a Self-Stored XSS, even though Facebook Pages allow you to use the Admin Roles Setting to add more admins to your Page. In this case, I added the victim as the admin of my “malicious page.” There was no need for the victim to accept the admin request. It was simply added to my page automatically and I was able to exploit this XSS flaw by sending the victim a single link:



PoC Video

By @Nirgoldshlager


9 responses on “Another Stored XSS in Facebook.com

  1. video games says:

    Hi, i think that i saw you visited my weblog thus i came to “return the favor”.
    I am attempting to find things to enhance my site!I suppose its ok to use a few of your ideas!


  2. Pretty! This has been a really wonderful article. Thank you for supplying this information.

  3. Incredible points. Solid arguments. Keep up the good work.

  4. I really like what you guys are usually up too. This sort of clever work
    and exposure! Keep up the awesome works guys I’ve included you guys to blogroll.

  5. Fabric Sofas says:

    What’s up to all, how is all, I think every one is getting more from this web page, and your views are nice designed for new people.

  6. This is a good tip particularly to those fresh to the blogosphere.
    Simple but very accurate info… Appreciate your sharing this one.
    A must read post!

  7. If some one wants to be updated with newest technologies then he must
    be visit this web site and be up to date daily.

  8. WOW just what I was searching for. Came here by searching for %meta_keyword%|

    авиабилеты до камбоджи
    авиабилеты в париж из спб

Leave a Reply

Your email address will not be published. Required fields are marked *