I’m glad you’re here. Please have fun reading (@nmochea).

While browsing and finding facebook vulnerability I accidentally found this facebook push notification link

https://facebook.com/notifications/client/push/enabled/?ref=

when I visited the facebook link something strange the whole facebook page has blank, there’s nothing here hmm so I view the source code and read it to analyze

Snippet below

upsell:null, redirectUrl:"{}", enabledUrl:null

The redirectUrl are vulnerable to open redirect by adding link in the endpoint parameter so I quickly check if the url have endpoint parameter and yess

Vulnerable Parameter

?ref=

I add my website on the endpoint parameter but nothing happened hmm so I try to bypassed using url encode

https%3a%2f%2fmydomain%2ecom%2flogin%2ephp

but still nothing happened and then I add more %2f to the web url

https://facebook.com/notifications/client/push/enabled/?ref=https%3a%2f%2f%2fmydomain%2ecom%2flogin%2ephp

then Boomm the facebook page redirect to my website

https://mydomain.com/login.php

although I trying to perform xss but its already filtered by hex encoding and my knowledge is not enough to bypassed the hex filters.

Every time a link is clicked on the site, the link will check that the URL against Facebook has its own internal list of malicious links, along with the lists of numerous external partners including McAfee, Google, Web of Trust, and Websense. If Facebook detects that a URL is malicious, Facebook will display an interstitial page before the browser actually requests the suspicious page.

Read the full explanation in this link: www.facebook.com

Setup

• User UserOne

Step to Reproduce

• From any web browser login as UserOne and go to

https://facebook.com/notifications/client/push/enabled/?ref=

• Now insert website on the parameter endpoint the result look like this

https://facebook.com/notifications/client/push/enabled/?ref=https://mydomain.com/login.php

• Add more slash / and then encode the website url to url encode and insert to the endpoint parameter

https://facebook.com/notifications/client/push/enabled/?ref=https%3a%2f%2f%2fmydomain%2ecom%2flogin%2ephp

• Hit enter it will redirect to www.mydomain.com/login.php linkshim finally bypassed.

Sep-22-2020: I reported this vulnerability issue in facebook whitehat page.

Sep-23–2020: The Facebook team reproduces & investigates regarding this vulnerability issue.

Sep-28-2020: I provided more details regarding this vulnerability issue.

Oct-08-2020: The vulnerability issue has been patched.

Oct-21-2020: Bounty rewarded.

Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.