[WEB SECURITY] Exploiting User-Agent XSS

Rohit Pitke rohirp92 at yahoo.com
Sat May 28 06:46:58 EDT 2011


Leveraging reflected XSS by exploiting user in real time especially if 
user-agent is XSS prone is far more difficult now. Almost close to impossible as 
JS(browsers) and flash are not allowing it.

Are group members aware of some technique wherein attacker would force victim's 
browser to set some proxy temporarily which is controlled by attacker only? i.e 
scenario like

Attacker-> victim's browser->attacker controlled proxy->change request->server

Changing proxy and profile in firefox is possible using specifically written 
extension but not aware if any other easy way is out there? And that too work in 
XSS exploit scenario. This might be hypothetical scenario but I will always use 
this scenario to get issue fixed  :-)

Regards,
Rohit Pitle




________________________________
From: Mike Duncan <Mike.Duncan at noaa.gov>
To: Atul Agarwal <atul at secfence.com>
Cc: websecurity at lists.webappsec.org
Sent: Fri, May 27, 2011 7:43:48 PM
Subject: Re: [WEB SECURITY] Exploiting User-Agent XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

By Flash technique, I guess you mean the use of AS' getUrl(). Perhaps a
Java/Silverlight/ActiveX app which makes the request with the malicious
UA and then dumps the response to a DIV or something on the page.

Of course, an applet/object trying to make a connection to another host
will need to be signed possibly meaning some social engineering is
required as well.

Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)



On 05/26/11 09:04, Atul Agarwal wrote:
> Hello List,
> 
> Is anyone aware of any reliable method to force the user (victim) to
> change/spoof the User-Agent of the browser so as to exploit a XSS Vuln.
> 
> The flash technique does not work any more.
> 
> Thanks,
> Atul Agarwal
> Secfence Technologies
> http://www.secfence.com
> 
> 
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3fsZkACgkQnvIkv6fg9haKoQCgkb2TGzcvhQWsEs0652fsi+uz
FA8An0xOe0hfLRHqlKam4jvGo6hrCNb2
=nWNE
-----END PGP SIGNATURE-----

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110528/0c1fe128/attachment-0003.html>


More information about the websecurity mailing list