Document Title:
===============
User Agent String Switcher Service - XSS Vulnerabilities
Date:
=====
2019-08-13
References:
===========
https://www.vulnerability-lab.com/get_content.php?id=2189
VL-ID:
=====
2189
Common Vulnerability Scoring System:
====================================
4
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Introduction:
=============
This extension allows you to reliably spoof your browser "User-Agent" string to a custom one. The extension provides
a list of all well-known "User-Agent" strings for different browsers and operating systems.
(Copy of the Homepage: https://addons.mozilla.org/de/firefox/addon/user-agent-string-switcher/ & https://webbrowsertools.com/useragent/ )
Abstract:
=========
The vulnerability laboratory core research team discovered multiple client-side cross site vulnerabilities in the User Agent String Switcher online web service.
Report-Timeline:
================
2019-08-14: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple client-side cross site vulnerabilities has been discovered in the User Agent String Switcher online web service.
The vulnerability allows to inject own malicious script code to client-side browser requests.
The vulnerability is located in the input field of the browser switcher user agent. The user agent input field
can be used to inject malicious script code. After the inject the app allows to perform a test using the mozilla
developer webbrowsertools.com domain. At the domain service the user has the ability to preview his own actual
new setup user agent client (./useragent/). The malicious execution of the script code takes place in the affected
window.navigator, ua-parser-js and platform.js. The request is performed using GET ?method=normal&verbose=false&r.
The vulnerability can be used to trigger a remote cross site scripting issue with low required user interaction.
Inject of malformed or malicious script codes allows attackers to external redirect, attack via cross site request
forgery, phishing attempts or non-persistent further manipulation of the affected web module context.
Mozilla Extension:
[+] User Agent String Switcher (https://addons.mozilla.org/de/firefox/addon/user-agent-string-switcher/)
Web Service of Extension:
[+] User Agent String Switcher Web Service (https://webbrowsertools.com/useragent/)
Affected File(s):
window.navigator
ua-parser-js v0.7.19
platform.js v1.3.3
Proof of Concept:
=================
The security web vulnerability can be exploited by local and remote attackers with low user interaction(click).
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce (Local) ...
1. Open the mozilla web browser
2. Install the user agent string switcher addon for mozilla
3. Open it and inject the test payload or your test script code to the user agent input field at the buttom of the addon
4. Apply the settings and open the test page
5. Switch with the tab through the affected file types
6. Successful reproduce of the vulnerability!
Manual steps to reproduce (Remote) ...
1. Prepare a get method request with the local injection description above
2. Copy the links with the correct r parameter to display the contents and execute the script code on client-side
3. Successful reproduce of the vulnerability!
PoC Web Urls: Exploitation
https://webbrowsertools.com/useragent/?method=normal&verbose=false&r=0.2528440576064094
https://webbrowsertools.com/useragent/?method=normal&verbose=false&r=0.2528440576064094
https://webbrowsertools.com/useragent/?method=normal&verbose=false&r=0.4067375366054382
PoC: Attacker Browser Settings (Exp. User Agent Payload)
Host: www.vulnerability-lab.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:62.0) <[INJECTED SCRIPT CODE PAYLOAD!]>Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=idtvmbt3io7q6pd6n0gn
--- PoC Session Logs ---
platform.js
https://unpkg.com/platform@1.3.5/platform.js
Host: unpkg.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://webbrowsertools.com/
GET: HTTP/2.0 200 OK
content-type: application/javascript; charset=utf-8
vary: Accept-Encoding
access-control-allow-origin: *
etag: W/"9eef-dbZwW8lUf+koS79YPLDTa/M/XUE"
age: 315114
cache-control: public, max-age=31536000
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
server: cloudflare
content-encoding: br
X-Firefox-Spdy: h2
- ua-parser.js
https://unpkg.com/ua-parser-js@0.7.19/src/ua-parser.js
Host: unpkg.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://webbrowsertools.com/
GET: HTTP/2.0 200 OK
content-type: application/javascript; charset=utf-8
vary: Accept-Encoding
access-control-allow-origin: *
etag: W/"ca6c-WNn+CdwU63oH9i+AYovEdlMEJEU"
cache-control: public, max-age=31536000
age: 549107
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
content-encoding: br
X-Firefox-Spdy: h2
Content-Security-Policy: upgrade-insecure-requests
- navigator
Host: developer.mozilla.org
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://webbrowsertools.com/
Reference(s):
https://developer.mozilla.org/docs/Web/API/Window/navigator
https://unpkg.com/ua-parser-js@0.7.19/src/ua-parser.js
https://unpkg.com/platform@1.3.5/platform.js
https://developer.mozilla.org/docs/Web/API/Window/navigator
https://github.com/faisalman/ua-parser-js
https://github.com/bestiejs/platform.js/
Risk:
=====
The security risk of the client-side input validation web vulnerability in the webtools service of the addon is estimated as medium.
Credits:
========
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™