Monday, October 30, 2017

Can you trust Facebook links?

While we are on Facebook, we are often share links to external sources, like Youtube, Google Drive, Instagram, or any other websites.
Many people think that Facebook links are quite reliable, but are they?

Facebook users can send those links via post or privately over Messenger, as you can see on the following images:

So how exactly preview link feature works?
When a user is about to post a link, he pastes it on Facebook, which detects it as a URL, then Facebook bot called “Facebook External Hit”, fetches a GET request to the supplied link and extract the relevant data from the HTML content such as preview image, title, description, and origin domain.
The link’s preview data is the only information supplied to the user before clicking it. In case the preview data is fake, it is super useful for phishing campaigns/ads/click fraud (pay-per-click)/Malvertising, just few days ago, I read this article about gigantic ad fraud on MySpace.

So after exploring this feature, I managed to understand how exactly the preview data was fetched, and what Facebook bot is looking for in the HTML content.
Facebook’s bot is looking for specific HTML tags, some of the tags it is looking for, are the “meta” tags, specifically with values “og:url” , “og:image” and “og:title” in the “property” attribute.
Due to lack of validation between the “og:url” content attribute to the origin domain retuned the HTML, it is possible to abuse this feature via crafted meta tags, so in case someone supplies to Facebook bot a URL that returns HTML with those crafted tags which contain fake data of another website (let’s say Youtube), the preview data will look like a Youtube song (or any other targeted page over the internet), but the actual link will lead victims to the URL containing the malicious HTML.
An example of HTML that fakes Youtube song link:

In my opinion, all Facebook users think that preview data shown by facebook is reliable, and will click the links they are interested in, which makes them easily targeted by attackers that abuse this feature in order to perform several types of attacks as I mentioned above (phishing campaigns/ads/click fraud pay-per-click).

I reported Facebook about this issue but unfortunately they refuse to recognize it as security issue and replied:
Facebook contains user-generated content, so the ability to inject content into a page, even under, is a very low-risk vulnerability. We consider content spoofing bugs like this to be low-risk and low-impact”

In addition, Facebook replied that the links posted are validated via system called “Linkshim”, in order to avoid phishing and malicious websites, but faking the meta tags is not considered as malicious activity.
we filter redirects through a system known as Linkshim…….. Feel free to test Linkshim against a URL belonging to a known malicious website, such as

I explored how Linkshim works, which is probably part of the “Facebook External Hit” bot, I tried to publish a link that redirects user’s browser to “evilzone” but it was detected and removed (as shown the PoC video), then I thought, what if I supply Facebook bot just a normal fake HTML without any malicious code, but supply victims the malicious HTML?
PoC video:

The following code bypasses Linkshim system by detecting the bot request via User Agent (you can do so via detecting IP) and supply HTML with non malicious content while supplying the malicious HTML to victims:
In this article I did not show real-life attack scenario and didn't abused this feature for real malicious activity, but there is plenty ways to exploit this vulnerability in order to perform several types of attacks like stealing sensitive information like credentials/credit cards.
In summary,  I hope this post will make Facebook users aware of this issue and make Facebook addressed those vulnerabilities.

Monday, September 18, 2017

Gem in a box XSS vulnerability - CVE-2017-14506

In this short blogpost I will give a short explain of XSS vulnerability i found on geminabox v0.13.5. which is a gems manager like so you can upload and download gems
Geminabox parses the uploaded gems and gives the users list of the gems on the system as the following image:

As you can see, the system parses the gem's details and present it on the web UI.
After few times, I succeeded to create a GEM file to exploit XSS, the attack scenario goes as follows:

  • Malicious attacker create GEM file with crafted homepage value (gem.homepage in .gemspec file) includes XSS payload as the following image:
  • The attacker access geminabox system and uploads the gem file (or uses CSRF/SSRF attack to do so). 
  • From now on, any user access Geminabox web server, executes the malicious XSS payload, that will delete any gems on the server, and won't let users use the geminabox anymore. (make victim's browser crash or redirect them to other hosts).

PoC video:

Tuesday, August 18, 2015

PT Vulnerabilities Manager - burp extension

Penetration test vulnerabilities manager extension for Burp Suite written in Jython developed by Barak Tawily in order to ease application security people manage vulnerabilities

alt tag

Friday, February 20, 2015

Autorize - automatic authorization enforcement detection extension for Burp Suite


Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert at AppSec Labs. Autorize was designed to help security testers by performing automatic authorization tests.
alt tag

Wednesday, December 10, 2014

AliExpress XSS vulnerability - take over any seller account

In this blog post I will discuss a XSS vulnerability I’ve found in AliExpress website.
I discovered this vulnerability while i bought items in the website, i wanted to contact with the seller so i sent him a message. As an application security expert i suspected that the messages system might be vulnerable to XSS so i started investigate it.
after a full investigation i found that it is possible to inject HTML <b> tag into the message, and it will be rendered as HTML code in the recipients' browser.
By injection the following malicious script payload in a message content parameter, the seller will browse to the message center in AliExpress website, thus, the malicious script will be executed on his browser:

Hello Seller :)<b style="position:fixed;top:0;left:0;display:block;width:100%;height:100%" onmouseover="alert('Barak Tawily, AppSec Labs')">PoC</b>

Note: the system doesn't allow send HTML tags in the content of the message, but it allows <b> tag only, thats why the payload to exploit the vulnerability is <b> tag and not any other.

Wednesday, January 15, 2014

SoapUI Code Execution Vulnerability - CVE-2014-1202

In this blog post I will discuss a vulnerability I’ve found in the SoapUI product before version 4.6.4 (CVE-2014-1202).
I discovered this vulnerability during a penetration test in which I saw that the SoapUI software allows the clients to execute a Java code on the local machine by putting a Java code inside the following tag: