[WEB SECURITY] Exploiting User-Agent XSS
rohirp92 at yahoo.com
Sun May 29 08:35:08 EDT 2011
That is correct. I am saying, is this possibility worked out anywhere? I am
looking for some research papers/work done on it. I see it as bleak exploitation
scenario still wondering.
From: Michal Zalewski <lcamtuf at coredump.cx>
To: Rohit Pitke <rohirp92 at yahoo.com>
Cc: Mike Duncan <Mike.Duncan at noaa.gov>; Atul Agarwal <atul at secfence.com>;
websecurity at lists.webappsec.org
Sent: Sun, May 29, 2011 9:48:07 AM
Subject: Re: [WEB SECURITY] Exploiting User-Agent XSS
> Are group members aware of some technique wherein attacker would force
> victim's browser to set some proxy temporarily which is controlled by
> attacker only?
If you control a proxy for HTTP traffic, why would you bother changing
U-A on the request, instead of just grabbing the cookies or injecting
your XSS payload into the response?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity