CVE-2019-18426 PoC — Facebook WhatsApp 跨站脚本漏洞

Source

https://github.com/PerimeterX/CVE-2019-18426

Associated Vulnerability

Title:Facebook WhatsApp 跨站脚本漏洞 (CVE-2019-18426)
Description:Facebook WhatsApp是美国Facebook公司的一套利用网络传送短信的移动应用程序。该应用程序通过智能手机中的联络人信息，查找使用该软件的联络人传送文字、图片等。 Facebook WhatsApp（桌面版）0.3.9309之前版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

Readme

# WhatsApp Vulnerabilities Disclosure - Open Redirect + CSP Bypass + Persistent XSS + FS read permissions + potential for RCE

## [CVE-2019-18426](https://nvd.nist.gov/vuln/detail/CVE-2019-18426)

## [Technical Article](./article/)

## [Original Vulnerabilities Disclosures Documents](./docs)

## [DEMO Vids!](./vids)

File Snapshot


 [4.0K]  /data/pocs/fe6fd778bfe53c28ab113390bf1d7454847bf043
├── [4.0K]  article
│   ├── [ 14K]  1.jpg
│   ├── [ 23K]  2.jpg
│   ├── [ 21K]  3.jpg
│   ├── [ 38K]  4.jpg
│   ├── [193K]  5.jpg
│   ├── [285K]  6.jpg
│   ├── [179K]  7.jpg
│   ├── [205K]  8.jpg
│   ├── [181K]  9.jpg
│   └── [ 16K]  README.md
├── [4.0K]  docs
│   ├── [4.0K]  docx
│   │   ├── [9.1K]  WHATSAPP - CSP complete bypass using OBJECT tag [HIGH RISK].docx
│   │   ├── [9.3K]  WHATSAPP - One Click Open Redirect via URL filtering bypass using at sign (@) [MEDIUM RISK].docx
│   │   ├── [9.8K]  WHATSAPP - One Click Persistent XSS AND RCE via URL filtering bypass using javascript_ [HIGH RISK].docx
│   │   └── [9.9K]  WHATSAPP - One Click Persistent XSS via URL filtering bypass using javascript_ [HIGH RISK].docx
│   ├── [ 63K]  WHATSAPP - CSP complete bypass using OBJECT tag [HIGH RISK].pdf
│   ├── [ 76K]  WHATSAPP - One Click Open Redirect via URL filtering bypass using at sign (@) [MEDIUM RISK].pdf
│   ├── [ 73K]  WHATSAPP - One Click Persistent XSS AND RCE via URL filtering bypass using javascript_ [HIGH RISK].pdf
│   └── [ 80K]  WHATSAPP - One Click Persistent XSS via URL filtering bypass using javascript_ [HIGH RISK].pdf
├── [ 11K]  LICENSE
├── [ 318]  README.md
└── [4.0K]  vids
    ├── [9.2M]  NON_TECHNICAL_RISK_SIMULATION.mkv
    ├── [ 158]  README.md
    └── [ 26M]  TECHNICAL_EXPLOITATION_SIMULATION.mkv

4 directories, 23 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!