« Detecting Successful XSS Testing with JS Overrides | Main | An Analysis of a Fake Vodafone Bill PDF File »

29 November 2012

Comments

I agree that injecting XSS code into request headers such as User-Agent is not new. The purpose of this post is to highlight that attackers are still using it and that security vendors must take care to prevent this type of attack if viewing attack data in a web-based console (reference: http://www.imperva.com/resources/adc/adc_advisories_response_secureworks.html).

Preventing this type of attack is one reason why Trustwave's WebDefend WAF does not use a web-based admin console.

This is an ancient trick. People were abusing a lack of escaping in the access log viewer of Netscape Commerce Server back in 1995 to inject text to advertise various things to webmasters.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment