- From: Mike Taylor <miket@opera.com>
- Date: Wed, 17 Oct 2012 15:29:43 -0500
- To: public-webapps@w3.org
On 10/13/12 4:08 AM, Hallvord R. M. Steen wrote:
> I came across an article [1] that describes some of the reasoning for
> Flash's change in security policy when it banned setting User-Agent.
> Apparently, some sites echo the User-Agent value back in markup in
> certain contexts (maybe a "browser requirements" page for example).
> Being able to set User-Agent from web content thus might cause XSS
> issues for such pages. These backends never had any reason to filter
> the User-Agent string before, so they probably don't.
For fun I set my UA string [1] to the following, just to see what, if
anything, would break:
"Opera/9.80 (Macintosh; Intel Mac OS X 10.8.2; U; en) Presto/2.10.289
Version/12.02 <script>alert('o hai')</script>"
The obvious targets were sites that echo UA strings:
http://whatsmyuseragent.com/ alerts (and for some reason the styles of
the page are broken)
http://whatsmyua.com/ gives a missing rails template page
http://logme.mobi/ alerts twice (one for navigator.userAgent, another
for User-Agent:)
http://www.whatismyip.com/tools/user-agent-info.asp alerts
http://youruseragent.info/what-is-my-user-agent is sanitized
http://my-addr.com/ua is sanitized
[1] via opera:config#UserPrefs|CustomUser-Agent
--
Mike Taylor
Opera Software
Received on Wednesday, 17 October 2012 20:30:24 UTC