Hi Atul,

assuming that you mean a method which can automatically spoof the UA, you
need to find a vulnerability in the browser as all modern browsers do no
longer allow to set the UA programatically (i.e using JavaScript).
Though, I'm not sure about plug-ins like flash ...

But if you manage to proxy the request in question, that proxy can spoof
the UA and hence exploit the XSS vuln in the application.

• Achim

Am 26.05.2011 15:04, schrieb Atul Agarwal:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

By Flash technique, I guess you mean the use of AS' getUrl(). Perhaps a
Java/Silverlight/ActiveX app which makes the request with the malicious
UA and then dumps the response to a DIV or something on the page.

Of course, an applet/object trying to make a connection to another host
will need to be signed possibly meaning some social engineering is
required as well.

Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)

On 05/26/11 09:04, Atul Agarwal wrote:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3fsZkACgkQnvIkv6fg9haKoQCgkb2TGzcvhQWsEs0652fsi+uz
FA8An0xOe0hfLRHqlKam4jvGo6hrCNb2
=nWNE
-----END PGP SIGNATURE-----

Leveraging reflected XSS by exploiting user in real time especially if
user-agent is XSS prone is far more difficult now. Almost close to impossible as
JS(browsers) and flash are not allowing it.

Are group members aware of some technique wherein attacker would force victim's
browser to set some proxy temporarily which is controlled by attacker only? i.e
scenario like

Attacker-> victim's browser->attacker controlled proxy->change request->server

Changing proxy and profile in firefox is possible using specifically written
extension but not aware if any other easy way is out there? And that too work in
XSS exploit scenario. This might be hypothetical scenario but I will always use
this scenario to get issue fixed  :-)

Regards,
Rohit Pitle

From: Mike Duncan Mike.Duncan@noaa.gov
To: Atul Agarwal atul@secfence.com
Cc: websecurity@lists.webappsec.org
Sent: Fri, May 27, 2011 7:43:48 PM
Subject: Re: [WEB SECURITY] Exploiting User-Agent XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

By Flash technique, I guess you mean the use of AS' getUrl(). Perhaps a
Java/Silverlight/ActiveX app which makes the request with the malicious
UA and then dumps the response to a DIV or something on the page.

Of course, an applet/object trying to make a connection to another host
will need to be signed possibly meaning some social engineering is
required as well.

Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)

On 05/26/11 09:04, Atul Agarwal wrote:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3fsZkACgkQnvIkv6fg9haKoQCgkb2TGzcvhQWsEs0652fsi+uz
FA8An0xOe0hfLRHqlKam4jvGo6hrCNb2
=nWNE
-----END PGP SIGNATURE-----

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

If you control a proxy for HTTP traffic, why would you bother changing
U-A on the request, instead of just grabbing the cookies or injecting
your XSS payload into the response?

/mz

That is correct. I am saying, is this possibility worked out anywhere? I am
looking for some research papers/work done on it. I see it as bleak exploitation
scenario still wondering.

Rohit

From: Michal Zalewski lcamtuf@coredump.cx
To: Rohit Pitke rohirp92@yahoo.com
Cc: Mike Duncan Mike.Duncan@noaa.gov; Atul Agarwal atul@secfence.com;
websecurity@lists.webappsec.org
Sent: Sun, May 29, 2011 9:48:07 AM
Subject: Re: [WEB SECURITY] Exploiting User-Agent XSS

If you control a proxy for HTTP traffic, why would you bother changing
U-A on the request, instead of just grabbing the cookies or injecting
your XSS payload into the response?

/mz

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For inline proxying, you could look to any number of places (Google for
starters). Most of them start with arp poisoning, making your machine
the gateway/proxy for the subnet. Afterward, start up SQUID and a way
you go. Not much to it really -- but requires access to the
network/subnet first.

http://www.google.com/search?q=arp+poison+proxy&ie=utf-8
http://www.securitytube.net/search?q=arp+poison+proxy&ie=utf-8&siteurl=www.securitytube.net

For wireless networks, needless-to-say you need access to the network
either by SE, cracking the key, or just using a known key.

Unfortunately, if you have no access to the network/subnet or if the
router/switches are blocking ARP poison attempts, you are left with SE
or some other vector. This is what I mentioned in my last message.

Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)

On 05/29/11 08:35, Rohit Pitke wrote:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3k9wAACgkQnvIkv6fg9hbCZwCdFw8tMFqOjfy0AItRi8pCo7Nn
aZ8AoIw7QFUYImnK1qDu+QknZCrGS8ti
=eHY2
-----END PGP SIGNATURE-----