[WEB SECURITY] Exploiting User-Agent XSS

MustLive mustlive at websecurity.com.ua
Tue May 31 15:06:52 EDT 2011

Michal and Atul!

Thanks for interesting in my methods of exploiting XSS via UA header. Soon
I'll present you my article on this topic ;-).

> if you have a method to inject arbitrary headers into cross-domain
> requests

Firstly I'll be talking about User-Agent header (last year I wrote about
attacks via spoofing UA, this time I'd write about XSS via UA). But I'll add
some notes about other (arbitrary) headers.

But I'll draw your attention guys, that you both talking about injecting
arbitrary headers into cross-domain requests on the fly - because it's most
interesting for you. But there are methods (which I mentioned about in my
previous letter) which allow do this not easily (on the fly), like in case
of flash, but in hard way. Which is also reliable methods and so also need
to be taken into account. Atul, you've asked not only for easy methods, but
for reliable ones ;-), and there are different reliable methods (as easy, as
hard) for conducting of XSS attacks via UA header.

Just few comments on letters of other participants of the list.

> as all modern browsers do no longer allow to set the UA programatically
> (i.e using JavaScript).

Achim and Jim. There are such methods (which work in some browsers). I'll
write about it in my article.

> But if you manage to proxy the request in question

Achim and Rohit. Yes, it's one of those advanced methods, which I've meant.

> By Flash technique, I guess you mean the use of AS' getUrl().

Mike, it's not about getURL - this function can't be used for injecting
arbitrary headers. It's old function (it exists even from before AS1 time,
from Flash 2) and for injecting arbitrary headers it's needed to use AS1
method addRequestHeader of LoadVars class (from Flash 6).

> If you control a proxy for HTTP traffic, why would you bother changing U-A
> on the request, instead of just grabbing the cookies or injecting your XSS
> payload into the response?

Of course Michal, but in case of this particular attack vector (via UA
header) it can be used as an attack scenario. And this proxy use case I'm
dividing on few use cases depending on how this attack is conducting. I'll
write in more details in my article.

Best wishes & regards,
Administrator of Websecurity web site

----- Original Message ----- 
From: Atul Agarwal
To: Michal Zalewski
Cc: MustLive ; websecurity at lists.webappsec.org
Sent: Tuesday, May 31, 2011 4:29 PM
Subject: Re: [WEB SECURITY] Exploiting User-Agent XSS

Thanks guys for the help.

@Rohit : Thanks a lot for the scenario, but I was looking for a real life

@Mustlive as Michal said, if you have a method to inject arbitrary headers
into cross-domain requests, we will all be very glad to hear about that!

Atul Agarwal
Secfence Technologies

On Tue, May 31, 2011 at 5:23 AM, Michal Zalewski <lcamtuf at coredump.cx>

> It's not working in new versions of flash plugin, but it's working in
> older
> versions. So no need to fully forget about it.

There are many RCE and UXSS vulnerabilities in outdated Flash plugins;
there is no way you can protect such users.

> 3. Other advanced methods. Among them there is also such one as using of
> JS.
> Even if other guys told you, that there is no possibility via JS, it's not
> true - there is such way (which works in some browsers). I know about such
> method from 2004 and at that time I wrote about it at one my site
> (concerning not security purposes) and I tested this method in modern
> versions of those browsers.

Please do share. If you know a way to inject U-A headers into
cross-domain requests, it would certainly be considered a browser bug
- and would likely be addressed swiftly.


More information about the websecurity mailing list