Hello List,
Is anyone aware of any reliable method to force the user (victim) to
change/spoof the User-Agent of the browser so as to exploit a XSS Vuln.
The flash technique does not work any more.
Thanks,
Atul Agarwal
Secfence Technologies
http://www.secfence.com
Hi Atul,
assuming that you mean a method which can automatically spoof the UA, you
need to find a vulnerability in the browser as all modern browsers do no
longer allow to set the UA programatically (i.e using JavaScript).
Though, I'm not sure about plug-ins like flash ...
But if you manage to proxy the request in question, that proxy can spoof
the UA and hence exploit the XSS vuln in the application.
Am 26.05.2011 15:04, schrieb Atul Agarwal:
Hello List,
Is anyone aware of any reliable method to force the user (victim) to
change/spoof the User-Agent of the browser so as to exploit a XSS Vuln.
The flash technique does not work any more.
Thanks,
Atul Agarwal
Secfence Technologies
http://www.secfence.com
Header modification has been locked down well in most browsers via JS. If
you find out otherwise, I think it's a browser bug.
Jim Manico
On May 26, 2011, at 11:27 AM, Atul Agarwal atul@secfence.com wrote:
Hello List,
Is anyone aware of any reliable method to force the user (victim) to
change/spoof the User-Agent of the browser so as to exploit a XSS Vuln.
The flash technique does not work any more.
Thanks,
Atul Agarwal
Secfence Technologies
http://www.secfence.com
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
By Flash technique, I guess you mean the use of AS' getUrl(). Perhaps a
Java/Silverlight/ActiveX app which makes the request with the malicious
UA and then dumps the response to a DIV or something on the page.
Of course, an applet/object trying to make a connection to another host
will need to be signed possibly meaning some social engineering is
required as well.
Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)
On 05/26/11 09:04, Atul Agarwal wrote:
Hello List,
Is anyone aware of any reliable method to force the user (victim) to
change/spoof the User-Agent of the browser so as to exploit a XSS Vuln.
The flash technique does not work any more.
Thanks,
Atul Agarwal
Secfence Technologies
http://www.secfence.com
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3fsZkACgkQnvIkv6fg9haKoQCgkb2TGzcvhQWsEs0652fsi+uz
FA8An0xOe0hfLRHqlKam4jvGo6hrCNb2
=nWNE
-----END PGP SIGNATURE-----
Leveraging reflected XSS by exploiting user in real time especially if
user-agent is XSS prone is far more difficult now. Almost close to impossible as
JS(browsers) and flash are not allowing it.
Are group members aware of some technique wherein attacker would force victim's
browser to set some proxy temporarily which is controlled by attacker only? i.e
scenario like
Attacker-> victim's browser->attacker controlled proxy->change request->server
Changing proxy and profile in firefox is possible using specifically written
extension but not aware if any other easy way is out there? And that too work in
XSS exploit scenario. This might be hypothetical scenario but I will always use
this scenario to get issue fixed :-)
Regards,
Rohit Pitle
From: Mike Duncan Mike.Duncan@noaa.gov
To: Atul Agarwal atul@secfence.com
Cc: websecurity@lists.webappsec.org
Sent: Fri, May 27, 2011 7:43:48 PM
Subject: Re: [WEB SECURITY] Exploiting User-Agent XSS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
By Flash technique, I guess you mean the use of AS' getUrl(). Perhaps a
Java/Silverlight/ActiveX app which makes the request with the malicious
UA and then dumps the response to a DIV or something on the page.
Of course, an applet/object trying to make a connection to another host
will need to be signed possibly meaning some social engineering is
required as well.
Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)
On 05/26/11 09:04, Atul Agarwal wrote:
Hello List,
Is anyone aware of any reliable method to force the user (victim) to
change/spoof the User-Agent of the browser so as to exploit a XSS Vuln.
The flash technique does not work any more.
Thanks,
Atul Agarwal
Secfence Technologies
http://www.secfence.com
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3fsZkACgkQnvIkv6fg9haKoQCgkb2TGzcvhQWsEs0652fsi+uz
FA8An0xOe0hfLRHqlKam4jvGo6hrCNb2
=nWNE
-----END PGP SIGNATURE-----
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Are group members aware of some technique wherein attacker would force
victim's browser to set some proxy temporarily which is controlled by
attacker only?
If you control a proxy for HTTP traffic, why would you bother changing
U-A on the request, instead of just grabbing the cookies or injecting
your XSS payload into the response?
/mz
That is correct. I am saying, is this possibility worked out anywhere? I am
looking for some research papers/work done on it. I see it as bleak exploitation
scenario still wondering.
Rohit
From: Michal Zalewski lcamtuf@coredump.cx
To: Rohit Pitke rohirp92@yahoo.com
Cc: Mike Duncan Mike.Duncan@noaa.gov; Atul Agarwal atul@secfence.com;
websecurity@lists.webappsec.org
Sent: Sun, May 29, 2011 9:48:07 AM
Subject: Re: [WEB SECURITY] Exploiting User-Agent XSS
Are group members aware of some technique wherein attacker would force
victim's browser to set some proxy temporarily which is controlled by
attacker only?
If you control a proxy for HTTP traffic, why would you bother changing
U-A on the request, instead of just grabbing the cookies or injecting
your XSS payload into the response?
/mz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
For inline proxying, you could look to any number of places (Google for
starters). Most of them start with arp poisoning, making your machine
the gateway/proxy for the subnet. Afterward, start up SQUID and a way
you go. Not much to it really -- but requires access to the
network/subnet first.
http://www.google.com/search?q=arp+poison+proxy&ie=utf-8
http://www.securitytube.net/search?q=arp+poison+proxy&ie=utf-8&siteurl=www.securitytube.net
For wireless networks, needless-to-say you need access to the network
either by SE, cracking the key, or just using a known key.
Unfortunately, if you have no access to the network/subnet or if the
router/switches are blocking ARP poison attempts, you are left with SE
or some other vector. This is what I mentioned in my last message.
Mike Duncan
Application Security Specialist
US Government Contractor, STG Inc.
NOAA National Climatic Data Center
Information Technology Security (ITS)
On 05/29/11 08:35, Rohit Pitke wrote:
That is correct. I am saying, is this possibility worked out anywhere? I
am looking for some research papers/work done on it. I see it as bleak
exploitation scenario still wondering.
Rohit
From: Michal Zalewski lcamtuf@coredump.cx
To: Rohit Pitke rohirp92@yahoo.com
Cc: Mike Duncan Mike.Duncan@noaa.gov; Atul Agarwal
atul@secfence.com; websecurity@lists.webappsec.org
Sent: Sun, May 29, 2011 9:48:07 AM
Subject: Re: [WEB SECURITY] Exploiting User-Agent XSS
Are group members aware of some technique wherein attacker would force
victim's browser to set some proxy temporarily which is controlled by
attacker only?
If you control a proxy for HTTP traffic, why would you bother changing
U-A on the request, instead of just grabbing the cookies or injecting
your XSS payload into the response?
/mz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3k9wAACgkQnvIkv6fg9hbCZwCdFw8tMFqOjfy0AItRi8pCo7Nn
aZ8AoIw7QFUYImnK1qDu+QknZCrGS8ti
=eHY2
-----END PGP SIGNATURE-----