[WEB SECURITY] XSS attacks via User-Agent header

MustLive mustlive at websecurity.com.ua
Sun Jun 12 12:37:11 EDT 2011


Hello participants of Mailing List.

In my article XSS attacks via User-Agent header
(http://websecurity.com.ua/5195/), which I published last week, I told about
different methods of such attacks.

HTTP header User-Agent often used by web applications and systems (for
different purposes), so possibility of spoofing this header allows to
conduct attacks. It can be as spoofing attacks (as against web applications,
as web applications can use this header with purposes of cloaking), as for
XSS attacks. Earlier I already told about possibility of attack via spoofing
User-Agent in article Bypass of systems for searching viruses at web sites
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-May/006512.html),
and now I'll tell about Cross-Site Scripting attacks via User-Agent header.

Taking into account that User-Agent header often used by web applications,
which show value of this header at web page, at that developers often forget
about its filtration, it allows XSS attacks at these web applications. There
are as reflected XSS, as persistent XSS vulnerabilities which concern with
User-Agent.

Conducting of XSS attacks via User-Agent.

There are next methods of conducting XSS attacks via User-Agent:

1. Via Flash.

2. Via spoofing of User-Agent at persistent XSS vulnerabilities.

3. Via JavaScript.

4. Via ActiveX.

5. Via spoofing User-Agent in browsers by viruses.

6. Via proxy which is spoofing User-Agent.

Attack via Flash.

One of the most easiest methods of conducting XSS attacks, particularly on
reflected XSS vulnerabilities, is using of Flash. When special swf-file is
creating, which sends request to target site at that setting XSS payload in
User-Agent header.

These attacks will work only on old versions of flash plugin - in Flash
Player 9.0.16 and previous versions. Starting from version 9.0.28 using of
User-Agent header is forbidden.

As I noted in article Sending server headers in Flash
(http://websecurity.com.ua/5188/), in flash plugin 10.0.22.87 and next
versions there are altogether forbidden 47 server headers. More in detail
about XSS attacks via headers in flash you can read in this article.

Sending of arbitrary headers via Flash.

Even Adobe forbidden sending of some headers via flash (at this time these
are 47 server headers, as I mentioned above), but all other headers are
allowed. I.e. it's possible to send via Flash arbitrary headers (except
forbidden ones), as from among known headers which are standardized, as any
others.

I.e. if any web application is using non-standard header, or headers from
new standards, then it'll be possible to conduct attack on this web
application. Similarly as in case of using standard headers from among
allowed in flash (e.g. Accept and Accept-Language headers are allowed). And
besides User-Agent the web applications work with many other headers, which
allows to conduct XSS attacks on them.

Attack via spoofing of User-Agent at persistent XSS vulnerabilities.

At existing of persistent XSS vulnerabilities (particularly in external web
applications), it's possible to spoof User-Agent and conduct XSS attack on
affected web application.

It's doing by creating exploit or using existent software, which can send
arbitrary headers. For sending of request with User-Agent with XSS payload.

Attack via JavaScript.

Among modern browsers there are such ones, which allow to change User-Agent
via JavaScript. In this case persistent change of User-Agent occurs, not at
one request as it has place in case of attack via flash.

Particularly there is such possibility in browsers from Mozilla (in browsers
on Gecko engine), as in old Mozilla, as in new Firefox, including Firefox
3.х and 4. With JS code for changing of User-Agent in browser you can
familiarize yourself at my site (http://mlbpg.narod.ru/useragent.html).

This code I've made already in 2003. It changes the value of parameter
general.useragent.override. This attack will work only locally, but not
online. So it's needed to force user to save html-page on his computer and
open it locally (or put it for him by different ways for local opening). I
wrote already about such attacks on browsers, so it's quite real.

>From other side, it's possible to use Cross Context Scripting (Cross-zone
scripting) vulnerabilities (http://websecurity.com.ua/4308/) in browsers on
Gecko engine to remotely execute code in local context and conduct changing
of User-Agent in browser. I'll add, that at this change in old Mozilla 1.7.х
and previous versions there were no messages, so it was possible to conduct
the attack hiddenly, but in Firefox 3.х the messages shows already (but if
to set appropriate checkbox, then it'll not show anymore). But it's not a
problem, because user can be fraudulently forced to press Allow, and many
users will automatically at all press Allow in this message.

Attack via ActiveX.

In Internet Explorer and browsers on IE engine it's possible via ActiveX
component (similarly as in Flash ActiveX component) to spoof User-Agent
header. Similarly can be added any other server headers. So malicious
components in IE can conduct such attacks.

Attack via spoofing User-Agent in browsers by viruses.

Viruses which got to user's computer can change User-Agent in one or in all
browsers, which he is using. In this case persistent change of User-Agent
occurs, not at one request as it has place in case of attack via flash.
Similarly can be added any other server headers.

There are possible different variants of changing User-Agent by malicious
software. In browsers Mozilla and Firefox the virus can add required value
of User-Agent in the file prefs.js in the folder with user's profile. It
also can be made by intruder at temporary access to user's computer.

In file prefs.js the next line is adding (or changing existent one):

user_pref("general.useragent.override", "XSS payload");

For attack on all browsers it's possible to infect exe-files (or dll-files)
of browsers, to add the function in them which set fixed value of User-Agent
(which is more complex), or to add plugin/add-on for the browser which is
doing this operation (which is easier). This attack also can be made via
plugins/add-ons, which are downloading by user from Internet - it can be
fake plugins which don't do anything (at that changing User-Agent), or even
have some public functionality (at that hiddenly changing User-Agent), or it
can be legal plugins in which there is such hidden functionality (which can
be made by plugin's author, or by bad guy who included such code in the
plugin).

Attack via proxy which is spoofing User-Agent.

In case of attack via proxy in all requests from browser the proxy can
replace User-Agent, to set header with XSS payload. The attack will last
until user will be using this proxy (only in case of attack on Ad Muncher
the persistent change of User-Agent will occur). Similarly can be added any
other server headers.

This attack can going on in the next way:

a) At computer of the user the software is installed which is working as
proxy. E.g. such as Ad Muncher (about different universal XSS in which I
wrote last year), which can spoof value of User-Agent. Virus at user's
computer or intruder at temporary access to his computer can change setting
of Ad Muncher, to set required value of User-Agent.

b) User set the proxy for his browser - it can be public anonymous proxy,
which is controlled by bad guy, or user is fraudulently forced to set
required proxy, or virus did it by changing browser's settings. And this
proxy is replacing value of User-Agent.

Besides, at attack via JavaScript (or viruses) it's also possible to change
proxy settings in the browser. Particularly in browsers on Gecko engine it's
needed to set parameters network.proxy.http, network.proxy.http_port and set
network.proxy.type = 1. Thus it's possible to combine attacks 3 and 6 or 5
and 6.

c) Some Internet providers in real time are making changes in
requests/responses, which come from/to the user. And malicious provider (or
hacked provider) can replace value of User-Agent.

d) At MITM attack, e.g. at using of WiFi, also can be replaced value of
User-Agent.

Conclusion.

It's seen from above-mentioned, that there are many methods of spoofing
User-Agent, particularly for conducting XSS attacks. So web developers need
always to attend to security of own applications. To not allow Cross-Site
Scripting vulnerabilities, including at work with User-Agent header.





More information about the websecurity mailing list