May 04, 2011
Here we will discuss about Facebook XSS again, the last XSS method using iPhone prompt_feed.php has been filtered, they have patched the system, but not all the hole, they still left us chance to put another XSS onClick using the same app.
You can still insert the XSS via iPhone app, via Android, via BlackBerry, via Facebook Exporter for iPhoto, via Facebook Toolbar for Firefox or via Windows Phone and perhaps some other apps. The instruction is similar to the previous method on iPhone XSS, but with a little change. Kindly follow these instruction to get your own facebook layout : Read more…
For those who want to add an html iframe layout to their page, overlayed, covering the whole page, you can use this simple script. You can have a defaced-like page using your own site as the content of the page. Whenever you are able to insert an xss on certain site, you can also use this to deface the page using your own html page. I’m using html frameset to change the document content.
Back to November 2009, when i was using the XSS on facebook profile box, i used this script to record who had visited my profile. The XSS loaded instantly at that time, not like now, which is onclick. You can still use this code to have a log record of your facebook visitor. not real visitor, but more exactly like who has seen your facebook layout. When your friends see your wall and click the XSS loader, then their name, id, ip and browser will be recorded on a text file. You can modify this code using a database then show it in your profile, so you can have a list of the latest visitor, just like the old time, the friendster era.
