by Anshuman    May 25, 2019

This is the demonstration of Cross-Site Scripting attack in User-Agent header and for this demo, I’ll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.

bWAPP Official Link:- http://www.itsecgames.com/

Now please choose Cross-site-Scripting — Reflected (User-Agent Header) from the drop-down menu and click Hack.

What is User-Agent header?

A user-agent request header is a software and it will act on behalf of the user and it allows the network protocol peers to identify the application type, operating system and software version.

And Content-Type is the best example for custom HTTP header and from this header parameter, we are sending data in different formats either from (JSON or XML).

For example:- Suppose I’ll open one website on a mobile phone and it should be responsive and it shouldn’t load the desktop webpage it should load the mobile phone webpage. And by the help of User-Agent, we can get able to load the proper web page on the devices.

As you can see here it’s able to identify my browser version, operating system and some other details.

So our goal is to intercept this request and inject the payload to this header parameter.

To inject the payload, we need to intercept the HTTP request and we can use Burp suite.

What is Burp Suite?

Burp suite is a graphical tool which is used to test Web application security and by the help of this tool, we can identify the vulnerability in the web.

If you want to know more about this tool then you can visit their official website. Portswigger.

So to intercept the first request go to the proxy tab and click on the intercept button to start intercepting the HTTP request.

And after that go to the portal page and choose (Cross-Site Scripting — Reflected User-Agent Header) and click Hack.

So now if you go to the Burp you can able to see the intercept request and click forward until you reach the "xss_user_agent.php" page.

Now to test let’s give a simple message "This is a buggy User-Agent header" and click forward.

As you can see here the message is reflecting on the webpage as it’s reflecting we can inject our payload.

So let’s go to the burp suite and turn off the intercept. And follow the same steps again to intercept the request.

Now inject the payload to “User-Agent” header parameter.

<script>alert('This is a buggy User-Agent header')</script>

As you can see we are able to inject Javascript code to User-Agent header parameter.

How do we prevent this attack?

1.User input needs to be encoded in the HTTP header and developer can implement filters which will eliminate any scripting tags.

2.And in some cases, X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks as it’s an add-on to the browsers to sanitize HTML responses.

I hope you guys like this post-bye bye for now.

Happy Hacking :)

BUG BOUNTY