Exploiting reflected XSS vulnerabilities, where user input must come through HTTP Request headers

[kuza55 <kuza55 () gmail com>]

Contents:
=======================================
1.0 Introduction
2.0 The User_Agent Header
3.0 (Known) Firefox & Safari Request Header Injection (Sometimes)
4.0 Attacking Caching Proxies
5.0 References


1.0 Introduction
=======================================
Ever since Adobe patched Flash player to stop attackers spoofing
certain headers such as Referer, User-Agent, etc, it has been
considered impossible to exploit XSS vulnerabilities where the user
input is taken from a request header, e.g. when a website prints out
what User-Agent a user's browser is sending, without escaping it. With
the exception of the Referer header which we can control enough to
exploit XSS attacks through it.

I want to showcase several ways in which we can still exploit these
vulnerabilities.

The rest of the write-up is at:
http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html

-------------------------------------------------------------------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online 
despite security executives' efforts to prevent malicious attacks. This 
whitepaper identifies the most common methods of attacks that we have seen, 
and outlines a guideline for developing secure web applications. 
Download today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------