Sunday, December 6, 2009

Multiple bugs on apps.facebook.com

apps.facebook.com still vulnerable to SQL and html Injection

so let's see some screenshots :)







Iframe injection poc: http://apps.facebook.com/lol_pets/?added_app=

many others applications seems to be vulnerable so be carefull !

see also my old post about sql injection on http://apps.facebook.com


Update

another apps. vulnerable to sql injection


and here we have another html injection poc: http://apps.facebook.com/app-tap

1 comment:

buherator said...

m1key also showed a bug like this to me but it seemed like the guys at FB noticed the breach and redirected him to a honeypot and started the decloaking engine, so be careful! I wrote about this in my hungarian blog, the screens might be interesting for you too (especially the last BackTrack shell :P): http://buhera.blog.hu/2009/11/28/facebook_a_mezesbodon

Nice job anyway!