Blue Gradients

Hacking Facebook

Stefan FODOR(backb0ne fl00d3r )

17th of May

Vlad ZAHAN

Overview

Cookie jar

Man-in-the-middle-atack

Hacking no 1 (ARP poisoning)

Hacking no 2 (Firesheep)

XSS

Facebook applications

Hacking no 3 (XSSing)

Questions?

Web-Cookies

Text stored on user's computer by a browser

Save user's preferencesLanguage

Location

Login informationsLogin or not

Last login

Autologin (remember me box)

Cookie jar

Men in the middle attack

Hacking no 1

ARP Poisoning

Wireshark authentication cookies

Modify existing cookies

Refresh the page

Wanna see a demo?

Dmesg messages from kernel

Firesheep

XSS

Aka Cross-site scripting

Security vulnerability of web applications

Inject code into the webpage

Facebook application

Apps loaded into Facebook page

Created by third-parties

Some sort of social-coding?

Facebook apps are ...

Incredible

Useful

Fun

Entertaining

Challenging

...vulnerable to XSS!

XSSing Facebook

http://apps.facebook.com/flixville/search/?locale=US&searchText=%22%3E%3Cfont%20size=70%20color=red%3EStefan%20said:%20Greetings%20Morten!

In theory...

Make a cookie stealing app

Send it to a server

Store the cookies

Have fun!

In theory this should work...

Questions?

References

http://hackhaholic.blogspot.com/2011/04/what-is-arp-spoofing-and-how-to.html

http://codebutler.com/firesheep

https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

http://www.xssed.com/mirror/59032/