1

I have a HTTP request which has the first line like this one:

GET / HTTP/1.1

The value HTTP/1.1 gets reflected unfiltered/unencoded back and is vulnerable to XSS, but is there any way to exploit that, except by social engineering the victim to manually change the version value in their browser config?

pineappleman
  • 2,289
  • 11
  • 21
  • If it allows linebreaks somehow then you can exploit it by adding headers, otherwise it is just ugly. It can exploit clients which are not expecting buffer overflows. But it does mean you server is not at all properly handling http. – eckes May 06 '17 at 23:50
  • 2
    @eckes I think you're missing the point. OP is asking about the possibility to conduct an XSS attack with a value that an attacker seemingly can't control. It's not about buffer overflows or adding headers. – Arminius May 07 '17 at 00:02
  • Sure, but why restrict to a certain type of vulnerability if it has all sorts of other problems... (after all this is a comment not an answer) – eckes May 07 '17 at 00:04

1 Answers1

6

No, there are no web APIs that an attacker could employ to modify the HTTP version string in a reflected XSS attack.

I often come across similar flaws during penetration testing that are technically XSS, but not directly exploitable without manually altering the HTTP request. These bugs often get rejected by bug bounty programs. Another common example for this type of flaw is the Host header:

Host: vulnerable.example

You would often see that vulnerable.example is reflected in the response body without any filtering but you simply can't choose the value of the host header in a real-life XSS attack, so the vulnerability turns out to be rather useless. Yet another example is XSS via the user agent. Similarly - unless it's a persistent XSS flaw, just printing back a modified user-agent string will most likely not be exploitable.

Beyond reflected XSS there are obviously other vulnerabilities to look out for. The response might be cached somewhere, enabling you to turn it into a persistent XSS flaw. Or the value might be stored unfiltered in some backend logging system.

Arminius
  • 44,242
  • 14
  • 143
  • 138
  • I would like to add that the user agent could in theory be used as a "reflected/persistent" XSS if one can change the default user agent of the browser that the victim uses. But in practice you can do a lot worse than XSS if you can access settings like that. – Wealot May 08 '17 at 13:36