When I was browsing Instagram using my iPhone and clicked a link, I noticed that Instagram launched a feature named Link shim. This is used to protect Facebook and Instagram users from malicious URLs.

So my first step was to test Instagram for an Open Redirect. When you click any URL on Instagram it will look similar to the following


So i cleared my session cookies, web cache and tested the effect of changing the u parameter to another url


This tells the user that he/she will be redirected to another URL.

Leaving Instagram You followed a link on instagram.com that redirects to http://ameeras.me

If the user clicked the follow link he/she will be redirected to http://ameeras.me

Hmmm, let’s try to change this Open Redirect to XSS !

I returned to https://www.instagram.com/linkshim/notify?u=http://ameeras.me

and changed the url in u parameter to javascript:alert(1)


Then I clicked Follow link and the JavaScript executed on Safari browser on my iPhone 😃

Quickly, I turned on my computer opened the link, looked at the source code and found this vulnerable JavaScript snippet

<script type="text/javascript">
function learnMoreClicked(link) {
link.style.visibility = 'hidden';
document.getElementById('explanation').style.visibility = 'visible';

function followLinkClicked() {
location.href = "javascript:alert(1)";

The last line location.href was vulnerable to XSS.

Here is a demonstration with Instagram session cookies

PoC Video


Facebook has since filtered for invalid links


  • June 20, 2016: Bug Reported
  • June 22, 2016: Facebook confirms the vulnerability
  • June 23, 2016: Facebook informs me they have fixed the issue
  • June 30, 2016: bounty awarded

finally i would like to thank @phwd for helping make this write-up


Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best!

Binary.com is one of the oldest and most respected names in online binary trading, Using Binary.com, customers can trade currencies, indices, stocks and commodities 24/7.

Binary.com is owned and operated by the Binary Ltd. group of companies. In the UK and Isle of Man, clients trade through Binary (IOM) Ltd. In the European Union (except UK), they trade through Binary (Europe) Ltd and Binary Investments (Europe) Ltd. In the rest of the world, they trade through Binary (C.R.) S.A.

The bug:

While Doing Pentesting/BugHunting I aslo love to test subdomains not only the mine site so i started testing ticktrade.binary.com subdomain and found that’s not protected against clickjacking vulnerability neither with the typical “X-Frame-Options” nor with the JS frame busting technique that means a malicious attacker capable of iframing the whole service and tricking the end-users to perform unwanted actions!

So I have Reported this vulnerability to Binary.com with this PoC:

<iframe src="https://ticktrade.binary.com" width=600 height=400>
<p>Your browser does not support iframes.</p>

then i got this reply from security team in the same day

and after two day’s i received reply that the issue has been fixed

i’m always love to bypass the resolved issue, now comes the fun bit.

i started looking how the security team fixed this vulnerability i mean if the vulnerability patched by adding X-Frame-Options or using JS frame busting technique and got it, the team uses JS frame busting technique to patch this vulnerability so let’s see how i bypassed this patch by Exploiting HTML5 Security Features Sandboxed Iframes

What is Sandboxed iframes?

The sandbox attribute enables an extra set of restrictions for the content in the iframe. When the sandbox attribute is present, and it will:

  • Treat the content as being from a unique origin
  • Block form submission
  • block script execution
  • Disable APIs
  • Prevent links from targeting other browsing contexts
  • Prevent content from using plugins through <embed>, <object>, <applet>, or other
  • Prevent the content to navigate its top-level browsing context
  • Block automatically triggered features (such as automatically playing a video or automatically focusing a form control)

Attack Scenario:

Iframing the Settings page or any other sensitive page with a sandboxed iframe to prevent redirecting to top window and allow scripts to be running, fooling the users to do unwanted actions.

the bypassing final PoC:

sandbox="allow-modals allow-scripts allow-forms allow-popups allow-same-origin"
src="http://ticktrade.binary.com" width=600 height=400>
<p>Bypassed By @AmeerAssadi.</p>

PoC video:


Binary Security Team rewarded me with a bounty and added my name on there Hall of Fame page, Thanks Binary!


  • Monday, 23rd May 2016 - Issue Reported
  • Monday, 23rd May 2016 - Issue Confirmed & Triaged
  • Wednesday, 25th May 2016 - Issue Resolved and team asks me to verify the fix
  • Wednesday, 25th May 2016 - Patch bypass sent
  • Wednesday, 8th June 2016 - Issue Patched