[WEB SECURITY] Exploiting User-Agent XSS

Mike Duncan Mike.Duncan at noaa.gov
Tue May 31 10:11:16 EDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For inline proxying, you could look to any number of places (Google for
starters). Most of them start with arp poisoning, making your machine
the gateway/proxy for the subnet. Afterward, start up SQUID and a way
you go. Not much to it really -- but requires access to the
network/subnet first.

http://www.google.com/search?q=arp+poison+proxy&ie=utf-8
http://www.securitytube.net/search?q=arp+poison+proxy&ie=utf-8&siteurl=www.securitytube.net

For wireless networks, needless-to-say you need access to the network
either by SE, cracking the key, or just using a known key.

Unfortunately, if you have no access to the network/subnet or if the
router/switches are blocking ARP poison attempts, you are left with SE
or some other vector. This is what I mentioned in my last message.

Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)



On 05/29/11 08:35, Rohit Pitke wrote:
> That is correct. I am saying, is this possibility worked out anywhere? I
> am looking for some research papers/work done on it. I see it as bleak
> exploitation scenario still wondering.
> 
> Rohit
> 
> ------------------------------------------------------------------------
> *From:* Michal Zalewski <lcamtuf at coredump.cx>
> *To:* Rohit Pitke <rohirp92 at yahoo.com>
> *Cc:* Mike Duncan <Mike.Duncan at noaa.gov>; Atul Agarwal
> <atul at secfence.com>; websecurity at lists.webappsec.org
> *Sent:* Sun, May 29, 2011 9:48:07 AM
> *Subject:* Re: [WEB SECURITY] Exploiting User-Agent XSS
> 
>> Are group members aware of some technique wherein attacker would force
>> victim's browser to set some proxy temporarily which is controlled by
>> attacker only?
> 
> If you control a proxy for HTTP traffic, why would you bother changing
> U-A on the request, instead of just grabbing the cookies or injecting
> your XSS payload into the response?
> 
> /mz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3k9wAACgkQnvIkv6fg9hbCZwCdFw8tMFqOjfy0AItRi8pCo7Nn
aZ8AoIw7QFUYImnK1qDu+QknZCrGS8ti
=eHY2
-----END PGP SIGNATURE-----




More information about the websecurity mailing list