Tag Archive: XSS

XSS on Facebook’s acquisition Oculus CDN

This issue is very similar to my previous report. I thought, I would check same issue exist on any other acquisition by “Facebook”. Luckily same issue was present on “oculuscdn.com”. Even without Interchanging any sub domains. Proof of concept There is an endpoint allowed developers to upload application assets in their Oculus account.. All assets […]

Read More →

XSS on Facebook-Instagram CDN Server bypassing signature protection.

Facebook and Instagram all photos/videos are stored on their CDN Server “*.fbcdn.net” and “*.cdninstagram.com” and they served via various sub-domains. Those all of the photos/videos on CDN Server contain a hash in the URL (various parameters ‘oh’ and ‘oe’ etc), which causes an error to be thrown if we modify the file extension.(eg. “.jpg” to […]

Read More →