[WEB SECURITY] Exploiting User-Agent XSS

Achim Hoffmann websec10 at sic-sec.org
Thu May 26 13:56:52 EDT 2011


Hi Atul,

assuming that you mean a method which can automatically spoof the UA, you
need to find a vulnerability in the browser as all modern browsers do no
longer allow to set the UA programatically (i.e using JavaScript).
Though, I'm not sure about plug-ins like flash ...

But if you manage to proxy the request in question, that proxy can spoof
the UA and hence exploit the XSS vuln in the application.


- Achim

Am 26.05.2011 15:04, schrieb Atul Agarwal:
> Hello List,
> 
> Is anyone aware of any reliable method to force the user (victim) to
> change/spoof the User-Agent of the browser so as to exploit a XSS Vuln.
> 
> The flash technique does not work any more.
> 
> Thanks,
> Atul Agarwal
> Secfence Technologies
> http://www.secfence.com




More information about the websecurity mailing list