facebook games: XSS

[m_c]

Because of he XSS problem is more or less solveable I create this thread for problems with facebook games.

Current case: The Settlers - My City

URL: http://apps.facebook.com/tsmycity

Using Firefox 3.6.8 and NoScript 2.0.2rc5
If I wanna send a gift to a person using "free gifts" link ingame.

I am able to select a gift but it is impossible to select a friend after "proceed to send".

Code: Select all

[NoScript XSS] Ein verdächtiger Upload zu [http://www.facebook.com/plugins/serverfbml.php§DATA§%0D%0A%09%09%09%09%09%09%3Cfb%3Afbml%3E%0D%0A%09%09%09%09%09%09%09%3Cfb%3Arequest-form%0D%0A%09%09%09%09%09%09%09%09action%3D%22http%3A%2F%2Fthesettlers.mycity.bluebyte.de%2Ffacebook%2Fgifts.php%3Faccess_token%3D118205224862847%7C2.arUbteFKCdaQ8_WYso67cA__.3600.1281888000-100000184427634%7CI7t9IpLLTAWarhzqSk4Kil-kfgY.%26appid%3D118205224862847%26fbId%3D100000184427634%22%0D%0A%09%09%09%09%09%09%09%09method%3D%22POST%22%0D%0A%09%09%09%09%09%09%09%09type%3D%22Settlers+gift%22%0D%0A%09%09%09%09%09%09%09%09content%3D%22Martin+has+sent+you+a+1+Wood+in+The+Settlers%3A+My+City%21+Do+you+accept+this+gift%3F%3Cfb%3Areq-choice+url%3D%26quot%3Bhttp%3A%2F%2Fubi.li%2FQDEqV%26quot%3B+label%3D%26quot%3BPlay+Settlers%26quot%3B+%2F%3E%22%0D%0A%09%09%09%09%09%09%09%09%0D%0A%09%09%09%09%09%09%09%09%3Cdiv+id%3D%22gift_preview%22+style%3D%22float%3A+left%3B+margin%3A+50px+0+0+30px%3B+text-align%3A+center%3B+width%3A+250px%3B%22%3E%0D%0A%09%09%09%09%09%09%09%09%09%3Cdiv+id%3D%22gift_15%22+style%3D%22height%3A+110px%3B+width%3A+110px%3B+margin%3A+0+auto%3B+display%3A+block%3B%22%3E%0D%0A%09%09%09%09%09%09%09%09%09%09%3Cimg+src%3D%22http%3A%2F%2Fthesettlers.mycity.bluebyte.de%2Ffacebook%2Fimg%2Fgifts%2Ficons%2F15.png%22+%2F%3E%0D%0A%09%09%09%09%09%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%09%09%09%09%09%3Cdiv+style%3D%22margin-top%3A+20px%3B+font-weight%3A+bold%22%3E%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09+%09%09%09%09%091+Wood%09%09%09%09%09%09+%09%09%09%09%09%09%09%09%09%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%09%09%09%09%3Cdiv+id%3D%22gift_receivers%22+style%3D%22float%3A+right%3B+width%3A+370px%3B%22%3E%0D%0A%09%09%09%09%09%09%09%09%09%3Ch2%3ESelect+your+friends+you+want+to+send+this+gift%3C%2Fh2%3E%0D%0A%09%09%09%09%09%09%09%09%09%3Cdiv+style%3D%22padding-bottom%3A+8px%3B%22%3E%0D%0A%09%09%09%09%09%09%09%09%09%09%3Cfb%3Amulti-friend-selector+%0D%0A%09%09%09%09%09%09%09%09%09%09condensed%3D%22true%22%0D%0A%09%09%09%09%09%09%09%09%09%09selected_rows%3D%225%22%0D%0A%09%09%09%09%09%09%09%09%09%09max%3D%2230%22%0D%0A%09%09%09%09%09%09%09%09%09%09style%3D%22width%3A+370px%3B%22%0D%0A%09%09%09%09%09%09%09%09%09%09exclude_ids%3D%22%22%0D%0A%09%09%09%09%09%09%09%09%09%09showborder%3D%22false%22+%2F%3E%0D%0A%09%09%09%09%09%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%09%09%09%09%09%3Cdiv+style%3D%22width%3A+560px%3B%22%3E%0D%0A%09%09%09%09%09%09%09%09%09%09%3Cfb%3Arequest-form-submit+import_external_friends%3D%22false%22+%2F%3E%0D%0A%09%09%09%09%09%09%09%09%09%09%3Ca+style%3D%22margin-top%3A1px%3B+padding%3A+4px+15px+4px%3B+margin-left%3A4px%3B%22+onclick%3D%22%28parent.parent.bbLoader.loadPage%28%27play%27%29%29%3B+return+false%3B%22+class%3D%22inputbutton+inputaux%22+%3ESkip%3C%2Fa%3E%0D%0A%09%09%09%09%09%09%09%09%09%09%3Cinput+type%3D%22hidden%22+name%3D%22giftTypeId%22+value%3D%2214%22+%2F%3E%0D%0A%09%09%09%09%09%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%09%09%09%09%3C%2Fdiv%3E%0D%0A%09%09%09%09%09%09%09%3C%2Ffb%3Arequest-form%3E%0D%0A%09%09%09%09%09%09%3C%2Ffb%3Afbml%3E%0D%0A%09%09%09%09%09] von [http://thesettlers.mycity.bluebyte.de/facebook/gifts.php?access_token=118205224862847|2.arUbteFKCdaQ8_WYso67cA__.3600.1281888000-100000184427634|I7t9IpLLTAWarhzqSk4Kil-kfgY.&appid=118205224862847&id=14] wurde bereinigt und in eine GET-Anfrage (nur Download) umgewandelt.

Awesome link.

I will delete the above posted link later to prevent decreased privacy.

EDIT: oops I noticed that there is already a thread.