Friday, August 14, 2009

XSS-ing the user agent. Is there a point?

Still haven't gotten around to recapping the rest of BlackHat/DEFCON. It's still on the list. In the meantime...

I've been seeing a lot of this lately:
User-Agent: <script>window.location='http://somewhere'</script> (compatible; MSIE 7.0; ...etc etc)

I'm not sure if this is attacking a specific vulnerability, or just trolling for unknown XSS vulnerabilities. Doesn't seem like the most subtle way to do it in either case. Anyone know?


cji said...

Hi Tyler,

Not sure if you saw my comment on the tactical web app sec blog below yours, but a quick search on OSVDB for "user-agent" shows 54 results.[vuln_title]=user-agent&search[text_type]=alltext

There are quite a few apps that are historically vulnerable to XSS via the user-agent header. I'm sure there are others as well that OSVDB might be missing.

Not sure if the attacks you're seeing are going after anything specific, though, as the most recent one in OSVDB is for SHOUTCast back in February.

Tyler said...

Hey man, yeah I saw the comment. I guess I wasn't clear enough. I know this is a valid attack vector, but the way I see it, the point is either to exploit vulnerable apps or to discover new vulnerable apps.

If it's an exploit, then why the wack-ass payload? A popup or a redirect doesn't really accomplish much... does it?

Or if it's to find new vulnerable targets, why the complete lack of subtlety?

Or am I just giving the attackers way too much credit? :)

cji said...

I see it as similar to the drive-by SQL injections - They weren't targeted at a certain web app, but just assumed that a lot of web apps had SQL injection issues. They sent the same basic SQL injection vector to any parameter they saw as they crawled along and just attempted to inject an iframe that loaded all kinds of nasty malware.

This user-agent XSS would cause an admin looking at a webalyzer log (or something similar) to get redirected/pop-up'd with spam or malware much in the same way, I'd imagine. In that case a redirect/pop-up could accomplish enough for them.

What's at the pages you're seeing in the logs? If it's spam or other nastiness, then they're probably trying to actively exploit a known or suspected issue. If not, who knows