[WEB SECURITY] Exploiting User-Agent XSS
Achim Hoffmann
websec10 at sic-sec.org
Thu May 26 13:56:52 EDT 2011
Hi Atul,
assuming that you mean a method which can automatically spoof the UA, you
need to find a vulnerability in the browser as all modern browsers do no
longer allow to set the UA programatically (i.e using JavaScript).
Though, I'm not sure about plug-ins like flash ...
But if you manage to proxy the request in question, that proxy can spoof
the UA and hence exploit the XSS vuln in the application.
- Achim
Am 26.05.2011 15:04, schrieb Atul Agarwal:
> Hello List,
>
> Is anyone aware of any reliable method to force the user (victim) to
> change/spoof the User-Agent of the browser so as to exploit a XSS Vuln.
>
> The flash technique does not work any more.
>
> Thanks,
> Atul Agarwal
> Secfence Technologies
> http://www.secfence.com
More information about the websecurity
mailing list