5

I've found an xss bug inside user-agent header on one popular buy/sell site , and after reporting it to them , they answered that it is not dangerous as it can not be exploited without user interaction(changing user-agent header manually). So I wanted to ask , is there any way to send user-agent and request that same page with spoofed user-agent. Can any web programming language do that? Thanks

Daniel
  • 1,432
  • 4
  • 21
  • 32
  • Which bug? Be more detailed. – F. Hauri - Give Up GitHub Mar 02 '13 at 17:56
  • There is a cross site scripting on mobile version of that site , it is showing my user-agent inside source code.So when I use temper data I can change user-agent to "> and crate javscript alert. But how to request for that page with spoofed user-agent without need to use temper data? – Daniel Mar 02 '13 at 18:05

1 Answers1

3

It is not possible for an attacker to control the user-agent in a cross site request. Usually XSS payloads are simple <form> elements with javascript to automatically call .submit() or an <iframe>.

It is possible to exploit XSS via some HTTP headers using Flash. However, flash has a blacklist of http headers. The user-agent was blacklisted in version 9.0.28, so once upon a time you could exploit user-agent based XSS. I wrote the CSRF-Request-Builder to take advantage of Flash's control over HTTP headers.

rook
  • 47,004
  • 10
  • 94
  • 182
  • Thanks , seems like there is no way , now . I've downloaded the tool and downgraded my flash player , just to test it.It works great.Thanks – Daniel Mar 02 '13 at 22:58