[WEB SECURITY] Exploiting User-Agent XSS

MustLive mustlive at websecurity.com.ua
Tue Jun 7 16:50:00 EDT 2011


Hi Michal and guys!

Last week I've already wrote two articles: 1st one - Sending server headers
in Flash (on which I'd be referencing in 2nd article) and 2nd one - XSS
attacks via User-Agent header (http://websecurity.com.ua/5195/). The topic
is large, so I was needed to split it into two articles. And in second
article (which I'll translate for you) I'm be talking about as XSS attacks
via User-Agent header, as (briefly) via other headers.

So soon I'll translate this article for you (it's large enough, but I'm
planning to finish translation in the nearest days). In the article I've
described the next attack vectors with using UA header: via Flash, via
spoofing of User-Agent at persistent XSS vulnerabilities, via JavaScript,
via ActiveX, via spoofing User-Agent in browsers by viruses, via proxy which
is spoofing User-Agent.

> There are many RCE and UXSS vulnerabilities in outdated Flash plugins;
> there is no way you can protect such users.

It's true concerning other attacks (browser-based attacks) on such users.
But the things is different when we talk about XSS attacks via Flash on
these users. To protect them from such attacks (without asking them to
update their browser/plugin/brain/etc) it's possible by fixing these XSS
holes at vulnerable sites. If lame admins of these sites don't want to fix
these (as any other) holes, then other actions can be made. To make long
story short: XSS hole via User-Agent header it's a problem of the site, not
of flash plugin.

> If you know a way to inject U-A headers into
> cross-domain requests, it would certainly be considered a browser bug

Partly it is. But from other side, if some request is made by some browser
of some user with changed U-A from default, then it's not a big deal for
browser (and for plash plugin). Even if this header contain XSS payload :-),
as I wrote above - XSS hole via User-Agent header it's a problem of the
site, not of browser / flash plugin.

But Adobe and browser developers are trying to fix such holes, and besides
doing good, also doing bad. Such examples concerns not only this case with
U-A, but many other cases. I'll not write further on this, because it's
other topic then "Exploiting User-Agent XSS" started by topic-starter. Just
note guys, that any moaning about "Adobe fixed this attack vector, so
it's not possible any more and don't care about XSS via U-A completely" is
incorrect and will lead to additional decrease of security of web sites. So
main leitmotif of my article is that there are many methods of conducting
XSS via User-Agent and developers need always to work to prevent such
vulnerabilities (and about that I wrote in article's conclusion).

> - and would likely be addressed swiftly.

Michal, such things not always happen :-). Like when in March I informed
Mozilla, Microsoft, Google and Opera about vulnerability which concerns many
browsers (as these one, as almost all others), then Google and Opera just
ignored. Microsoft asked for additional details and after that (when I gave
it for them) ignored. Only Mozilla not ignored and promised to fix (but it
can stretch on long time, even years like it was with css history hack).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Michal Zalewski" <lcamtuf at coredump.cx>
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: <atul at secfence.com>; <websecurity at lists.webappsec.org>
Sent: Tuesday, May 31, 2011 2:53 AM
Subject: Re: [WEB SECURITY] Exploiting User-Agent XSS


> It's not working in new versions of flash plugin, but it's working in
> older
> versions. So no need to fully forget about it.

There are many RCE and UXSS vulnerabilities in outdated Flash plugins;
there is no way you can protect such users.

> 3. Other advanced methods. Among them there is also such one as using of
> JS.
> Even if other guys told you, that there is no possibility via JS, it's not
> true - there is such way (which works in some browsers). I know about such
> method from 2004 and at that time I wrote about it at one my site
> (concerning not security purposes) and I tested this method in modern
> versions of those browsers.

Please do share. If you know a way to inject U-A headers into
cross-domain requests, it would certainly be considered a browser bug
- and would likely be addressed swiftly.

/mz






More information about the websecurity mailing list