Results 1 to 3 of 3

Thread: User-Agent XSS

  1. #1

    User-Agent XSS



    Consider this code:

    PHP Code:
    <?php

    echo $_SERVER['HTTP_USER_AGENT'];

    ?&
    gt
    Are there any simple means of exploiting this via XSS w/ Javascript? I'm looking for some neat javascript that would prove it... any help would be appreciated. I've been looking at Javascripts that can make GETs, but I need a simple method to forge HTTP headers, which I've been unable to find.

    Thanks!

    edit:
    In this case, the user agent is not stored in any database, meaning the victim's UA would have to be spoofed somehow, probably w/ javascript.

  2. #2
    Banned
    Join Date
    Jul 2005
    Posts
    511
    You can spoof the UA simply from the webbrowser. IE won't allow you to change it but other browsers (like FireFox) allow you to adjust the user agent. That would mean that the UA could be used for script-code insertion...
    But in this case you're only echoing the value of a string value. I don't think that would lead to the execution of code. However, if this was part of some SQL query, there could be a risk there...

  3. #3
    Right, given the script I provided, it's trivial to cause a XSS attack against myself by spoofing the UA at the browser or w/ a proxy. However, it can't be exploited unless other clients see that javascript as well.

    The missing link here is some javascript that I place in a webpage that I own that forces anyone that views it to spoof their user agent and view the previous script, or sending a link under the vulnerablesite.foo domain that will contain the JS in it.

    So far I haven't been able to find that Javascript... which is what I'm asking for help with to prove that it's possible to successfully attack that code when no database is involved.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •