XSS on Facebook’s acquisition Oculus CDN
Luckily same issue was present on
"oculuscdn.com". Even without Interchanging any sub domains.
Proof of concept
There is an endpoint allowed developers to upload application assets in their Oculus account.. All assets are stored on
POST /upload_image/ HTTP/1.1
Response Contain a Image
"Handle" and Image
HTTP/1.1 200 OK
- It was much easier than before, Just append a malicious payload to the Image.
- Grab the Image URL from the response.
- Remove the
"/v/"parameter from the URL and modify the file extension. (
So, our final URL will be,
This could have allowed an attacker to run arbitrary JS on Oculus CDN. This wouldn’t have allowed access to the user’s cookies/session due to the sandboxed domain, but could have been used in phishing/as a Linkshim bypass.
- 19 Mar, 2018: Initial Report Sent.
- 22 Mar, 2018: Asked More Details.
- 22 Mar, 2018: More Payloads, Clarification Sent.
- 23 Mar, 2018: Acknowledgment of Report.
- 25 May, 2018: Issue Fixed.
- 1 Jun, 2018: $1500 Bounty Awarded by Facebook.
- XSS in Oculus Rifts CDN.
- An XSS on Facebook via PNGs & Wonky Content Types
- Ability to upload HTML via SRT caption files for Facebook Videos.
- XSS in Facebook CDN through AR Studio Effects.