Hello this is my first post and i apologize to don't speak your language but your forum seems very interesting.
[hide=10]#Author: T3STM@N & P3LO
#Subject: Introduction to XAS Cross Agent Scripting
I want to inform you about a new vulnerability concernig the browser's User-Agent.
With a simple firefox plugin such as User-agent switcher we could perfom attack against a page who print the user-agent variable.
User-agent switcher's firefox plugin permit to insert a customized User-Agent.
Why not trying to insert an xss vector on it ?
Lets look around the GET header's request on the site
http://www.w3schools.com/js/tryit.as...=tryjs_browser
Bingo!!Code:Host: www.w3schools.com User-Agent: '><script>alert(501337)</script> Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.w3schools.com/js/tryit.as...=tryjs_browser
The xss have been executed
screenshot:
I have tryed to test others attacks vectors on other sites and have constated on certain error reports that the user-agent also allow sqlinjecting (on a phpbb mod for example).
This new way of exploitation let predict new attack possibilities of persistant and temporary xss.
Firefox plugin available here:
https://addons.mozilla.org/en-US/firefox/addon/59
The browser detector's script had to be corrected against xss on the navigator.userAgent and navigator.appVersion variables using:
In php: htmlspecialchars() and mysql_real_escape_string()
In java script: escape() or a customized function.
Like on this test page:
http://oxy-team.fr.nf/html/user-agent.html
Greetz:
AzOTe, 50-1337 CreW (X3R0X,t0fx,PhOeNiX,RooTix,Nasty Shade,My$ter!ous,XdK,HuG88,MoVeZ,Funny,En
Reply With Quote
