I've found an xss bug inside user-agent header on one popular buy/sell site , and after reporting it to them , they answered that it is not dangerous as it can not be exploited without user interaction(changing user-agent header manually). So I wanted to ask , is there any way to send user-agent and request that same page with spoofed user-agent. Can any web programming language do that? Thanks
Asked
Active
Viewed 6,836 times
5
-
Which bug? Be more detailed. – F. Hauri - Give Up GitHub Mar 02 '13 at 17:56
-
There is a cross site scripting on mobile version of that site , it is showing my user-agent inside source code.So when I use temper data I can change user-agent to "> and crate javscript alert. But how to request for that page with spoofed user-agent without need to use temper data? – Daniel Mar 02 '13 at 18:05
1 Answers
3
It is not possible for an attacker to control the user-agent in a cross site request. Usually XSS payloads are simple <form>
elements with javascript to automatically call .submit()
or an <iframe>
.
It is possible to exploit XSS via some HTTP headers using Flash. However, flash has a blacklist of http headers. The user-agent was blacklisted in version 9.0.28, so once upon a time you could exploit user-agent based XSS. I wrote the CSRF-Request-Builder to take advantage of Flash's control over HTTP headers.
rook
- 47,004
- 10
- 94
- 182
-
Thanks , seems like there is no way , now . I've downloaded the tool and downgraded my flash player , just to test it.It works great.Thanks – Daniel Mar 02 '13 at 22:58