Hacking Facebook: JavaScript Sandboxes and How to Use/Escape/Write Them

1-115, January 21, 23 — 5:00-6:30pm

Facebook applications are fairly complex creatures. They interact with your account information and user page to do pretty much anything. They can modify the DOM, query information about the user's account, and do other things.

Most interestingly, however, Facebook allows you to do this by executing your code on *.facebook.com. What this means is your code has privileges to do whatever any of Facebook's code can do -- if you can make it happen. Interactivity occurs through FBJS, a JavaScript-alike language created by Facebook, which is sanitized to prevent your app from doing anything "bad".

Is the sanitization sufficient to prevent exploits? If you're familiar with JavaScript, it's actually better than you might initially expect. However, it has had holes in the past, and it presumably still has holes. This class will examine the FBJS security model, holes it's had in the past and how they could have been exploited, and current and in-development JavaScript sandboxing mechanisms.

Contact Info

Jeff Walden — sipb-iap-facebook at mit dot edu

Slides

Resources