Penetration Testing mailing list archives
Re: User Agent XSS anyone?
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Fri, 24 Apr 2009 08:39:26 -0700
here is one I discoverd quite some time ago http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-06/0257.html UA XSS is particularly nasty in apps that format logs in html ( a simple registry edit was used to change the UA in IE )----- Original Message ----- From: "Zack Payton" <zpayton () gmail com>
To: "pen-test list" <pen-test () securityfocus com> Sent: Wednesday, April 22, 2009 12:11 AM Subject: User Agent XSS anyone?
Hi all, I was just curios if anyone was aware of any interesting ways to exploit user-agent based xss. I suppose it would be easy in conjunction with HTTP response splitting, but is anyone aware of any other vectors beside those present in custom browser extensions? I am interested in hearing about all vectors though, even those in custom browser extensions. Thank you! Sincerely, Z ------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteTired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteTired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.
http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- User Agent XSS anyone? Zack Payton (Apr 23)
- Re: User Agent XSS anyone? Robin Wood (Apr 23)
- Re: User Agent XSS anyone? Morning Wood (Apr 26)
- Re: User Agent XSS anyone? Luca Carettoni (Apr 26)
- Message not available
- Re: User Agent XSS anyone? Zack Payton (Apr 27)