[WEB SECURITY] Exploiting User-Agent XSS

Michal Zalewski lcamtuf at coredump.cx
Sun May 29 00:18:07 EDT 2011


> Are group members aware of some technique wherein attacker would force
> victim's browser to set some proxy temporarily which is controlled by
> attacker only?

If you control a proxy for HTTP traffic, why would you bother changing
U-A on the request, instead of just grabbing the cookies or injecting
your XSS payload into the response?

/mz




More information about the websecurity mailing list