XSS-Reflected (User_Agent)

Today XSS is often cited as the number-one security threat on the web

This is my first blog so, in this blog I’m gonna show you the Proper demonstration of Cross-Site Scripting attack in User-Agent header. I’m using a private website which i can’t reveal but you will learn or easily understand by this attack.

What is User-Agent ?

When your browser connects to a website, it includes a User-Agent field in its HTTP header. The contents of the user agent field vary from browser to browser. Each browser has its own, distinctive user agent. Essentially, a user agent is a way for a browser to say “Hi, I’m Mozilla Firefox on Windows” or “Hi, I’m Safari on an iPhone” to a web server.

For example : when you intercept the request you can see User-Agent in the header which is something like this “ Mozilla: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.3 Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/43.4.”

Lets Start the Attack :

So our goal is to intercept this request and inject the payload to this header parameter.

To inject the payload, we need to intercept the HTTP request and we can use Burp suite.

As you can see in this figure 1, I intercept the request of this website signup page which is vulnerable for the XSS in User-Agent field.

now move on to the next step which is adding a payload on the User-Agent field.

Now to test let’s give a simple message “1” and click forward.

As you can see here the message is reflecting on the webpage as it’s reflecting we can inject our payload.

Finally we are able to inject JavaScript code to User-Agent header parameter.

How to prevent this XSS User-Agent Attack?

  1. User input needs to be encoded in the HTTP header and developer can implement filters which will eliminate any scripting tags.
  2. And in some cases, X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks as it’s an add-on to the browsers to sanitize HTML responses.
  3. The X-XSS-Protection header is easy to implement and only requires a slight web server configuration change. You might also want to check to make sure you don't already have the header enabled.

I hope you guys understand this attack and i hope you like this post.

Bye-Bye

Thanks

Happy Hacking ^_^

I’m a website penetration tester and also work with hackerOne and bugcrowd, Website Security is my life ^_^