[WEB SECURITY] Exploiting User-Agent XSS

MustLive mustlive at websecurity.com.ua
Mon May 30 14:45:44 EDT 2011

Hello Atul!

There are such methods. And there are a lot of methods of conducting XSS attacks via User-Agent, as for reflected XSS, as for persistent XSS. In your letter, as I see, you meant only reflected XSS vector, but persistent XSS holes via User-Agent also exist, so they also need to be taken into account ;-).

>From 2006, when I started researches of Cross-Site Scripting via different headers, including User-Agent (and especially I begun researching UA header at beginning of 2007), I have found many methods of conducting of such attacks. And from that time I'm planning to write an article with detailed description of different attack methods via UA, but still haven't found time for it. About spoofing UA attacks I wrote, as in article New vulnerability in bots of search engines (for security bypass) (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-May/006512.html), but not about XSS attacks. Feel free to request such an article from me (so I'll prioritize this topic).

> The flash technique does not work any more.

It's not working in new versions of flash plugin, but it's working in older versions. So no need to fully forget about it.

In short the list of XSS attacks via User-Agent looks like:

1. Via flash.

2. Via spoofing of User-Agent field and conducting of persistent XSS attacks (by making exploit or using existent software to make UA with XSS payload).

3. Other advanced methods. Among them there is also such one as using of JS. Even if other guys told you, that there is no possibility via JS, it's not true - there is such way (which works in some browsers). I know about such method from 2004 and at that time I wrote about it at one my site (concerning not security purposes) and I tested this method in modern versions of those browsers.

For longer (comprehensive) list it's needed already to write an article ;-). So, as you see, there are a lot of such methods.

Best wishes & regards,
Administrator of Websecurity web site

[WEB SECURITY] Exploiting User-Agent XSS
Atul Agarwal atul at secfence.com
Thu May 26 09:04:56 EDT 2011

> Hello List,
> Is anyone aware of any reliable method to force the user (victim) to
> change/spoof the User-Agent of the browser so as to exploit a XSS Vuln.
> The flash technique does not work any more.
> Thanks,
> Atul Agarwal
> Secfence Technologies
> http://www.secfence.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110530/455657af/attachment-0003.html>

More information about the websecurity mailing list