Hello participants of Mailing List. In my article XSS attacks via User-Agent header (http://websecurity.com.ua/5195/), which I published last week, I told about different methods of such attacks. HTTP header User-Agent often used by web applications and systems (for different purposes), so possibility of spoofing this header allows to conduct attacks. It can be as spoofing attacks (as against web applications, as web applications can use this header with purposes of cloaking), as for XSS attacks. Earlier I already told about possibility of attack via spoofing User-Agent in article Bypass of systems for searching viruses at web sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-May/006512.html), and now I'll tell about Cross-Site Scripting attacks via User-Agent header. Taking into account that User-Agent header often used by web applications, which show value of this header at web page, at that developers often forget about its filtration, it allows XSS attacks at these web applications. There are as reflected XSS, as persistent XSS vulnerabilities which concern with User-Agent. Conducting of XSS attacks via User-Agent. There are next methods of conducting XSS attacks via User-Agent: 1. Via Flash. 2. Via spoofing of User-Agent at persistent XSS vulnerabilities. 3. Via JavaScript. 4. Via ActiveX. 5. Via spoofing User-Agent in browsers by viruses. 6. Via proxy which is spoofing User-Agent. Attack via Flash. One of the most easiest methods of conducting XSS attacks, particularly on reflected XSS vulnerabilities, is using of Flash. When special swf-file is creating, which sends request to target site at that setting XSS payload in User-Agent header. These attacks will work only on old versions of flash plugin - in Flash Player 9.0.16 and previous versions. Starting from version 9.0.28 using of User-Agent header is forbidden. As I noted in article Sending server headers in Flash (http://websecurity.com.ua/5188/), in flash plugin 10.0.22.87 and next versions there are altogether forbidden 47 server headers. More in detail about XSS attacks via headers in flash you can read in this article. Sending of arbitrary headers via Flash. Even Adobe forbidden sending of some headers via flash (at this time these are 47 server headers, as I mentioned above), but all other headers are allowed. I.e. it's possible to send via Flash arbitrary headers (except forbidden ones), as from among known headers which are standardized, as any others. I.e. if any web application is using non-standard header, or headers from new standards, then it'll be possible to conduct attack on this web application. Similarly as in case of using standard headers from among allowed in flash (e.g. Accept and Accept-Language headers are allowed). And besides User-Agent the web applications work with many other headers, which allows to conduct XSS attacks on them. Attack via spoofing of User-Agent at persistent XSS vulnerabilities. At existing of persistent XSS vulnerabilities (particularly in external web applications), it's possible to spoof User-Agent and conduct XSS attack on affected web application. It's doing by creating exploit or using existent software, which can send arbitrary headers. For sending of request with User-Agent with XSS payload. Attack via JavaScript. Among modern browsers there are such ones, which allow to change User-Agent via JavaScript. In this case persistent change of User-Agent occurs, not at one request as it has place in case of attack via flash. Particularly there is such possibility in browsers from Mozilla (in browsers on Gecko engine), as in old Mozilla, as in new Firefox, including Firefox 3.х and 4. With JS code for changing of User-Agent in browser you can familiarize yourself at my site (http://mlbpg.narod.ru/useragent.html). This code I've made already in 2003. It changes the value of parameter general.useragent.override. This attack will work only locally, but not online. So it's needed to force user to save html-page on his computer and open it locally (or put it for him by different ways for local opening). I wrote already about such attacks on browsers, so it's quite real. >From other side, it's possible to use Cross Context Scripting (Cross-zone scripting) vulnerabilities (http://websecurity.com.ua/4308/) in browsers on Gecko engine to remotely execute code in local context and conduct changing of User-Agent in browser. I'll add, that at this change in old Mozilla 1.7.х and previous versions there were no messages, so it was possible to conduct the attack hiddenly, but in Firefox 3.х the messages shows already (but if to set appropriate checkbox, then it'll not show anymore). But it's not a problem, because user can be fraudulently forced to press Allow, and many users will automatically at all press Allow in this message. Attack via ActiveX. In Internet Explorer and browsers on IE engine it's possible via ActiveX component (similarly as in Flash ActiveX component) to spoof User-Agent header. Similarly can be added any other server headers. So malicious components in IE can conduct such attacks. Attack via spoofing User-Agent in browsers by viruses. Viruses which got to user's computer can change User-Agent in one or in all browsers, which he is using. In this case persistent change of User-Agent occurs, not at one request as it has place in case of attack via flash. Similarly can be added any other server headers. There are possible different variants of changing User-Agent by malicious software. In browsers Mozilla and Firefox the virus can add required value of User-Agent in the file prefs.js in the folder with user's profile. It also can be made by intruder at temporary access to user's computer. In file prefs.js the next line is adding (or changing existent one): user_pref("general.useragent.override", "XSS payload"); For attack on all browsers it's possible to infect exe-files (or dll-files) of browsers, to add the function in them which set fixed value of User-Agent (which is more complex), or to add plugin/add-on for the browser which is doing this operation (which is easier). This attack also can be made via plugins/add-ons, which are downloading by user from Internet - it can be fake plugins which don't do anything (at that changing User-Agent), or even have some public functionality (at that hiddenly changing User-Agent), or it can be legal plugins in which there is such hidden functionality (which can be made by plugin's author, or by bad guy who included such code in the plugin). Attack via proxy which is spoofing User-Agent. In case of attack via proxy in all requests from browser the proxy can replace User-Agent, to set header with XSS payload. The attack will last until user will be using this proxy (only in case of attack on Ad Muncher the persistent change of User-Agent will occur). Similarly can be added any other server headers. This attack can going on in the next way: a) At computer of the user the software is installed which is working as proxy. E.g. such as Ad Muncher (about different universal XSS in which I wrote last year), which can spoof value of User-Agent. Virus at user's computer or intruder at temporary access to his computer can change setting of Ad Muncher, to set required value of User-Agent. b) User set the proxy for his browser - it can be public anonymous proxy, which is controlled by bad guy, or user is fraudulently forced to set required proxy, or virus did it by changing browser's settings. And this proxy is replacing value of User-Agent. Besides, at attack via JavaScript (or viruses) it's also possible to change proxy settings in the browser. Particularly in browsers on Gecko engine it's needed to set parameters network.proxy.http, network.proxy.http_port and set network.proxy.type = 1. Thus it's possible to combine attacks 3 and 6 or 5 and 6. c) Some Internet providers in real time are making changes in requests/responses, which come from/to the user. And malicious provider (or hacked provider) can replace value of User-Agent. d) At MITM attack, e.g. at using of WiFi, also can be replaced value of User-Agent. Conclusion. It's seen from above-mentioned, that there are many methods of spoofing User-Agent, particularly for conducting XSS attacks. So web developers need always to attend to security of own applications. To not allow Cross-Site Scripting vulnerabilities, including at work with User-Agent header.