Upon following-up the Honeypot project from WASC (WASC Distributed Open Proxy Honeypot), we were faced with a post by Ryan Barnett with comments about use of cross site scripting tags (XSS) in the de User-Agent heading (WASC Distributed Open Proxy Honeypot Update – XSS in User-Agent Field – http://tacticalwebappsec.blogspot.com/2009/08/wasc-distributed-open-proxy-honeypot.html )

We were curious as to know what we could obtain as a benefit in using this type of attack.

Initially, we have modified our User-Agent to  <script>alert(’oi’)</script> – in this case, if site was vulnerable to some faulty browser verification script we would have received the hi message. We have accessed scores of   known sites to check the behavior of  a quite different user-agent but without success, nothing anomalous happened.

On a second instance I went to sites that make browser version checking and found a project (it is worth to remember that we had accessed some few sites, this wouldn’t be the unique vulnerable one) that executes our javascript.
Scripts — Full Featured PHP Browser Detection & OS Detection – http://techpatterns.com/downloads/php_browser_detection.php

Upon continuing tests and as mentioned in the WASC blog, maybe the attempt would be to attack the web log analyzers as webtrends, google analytics among others available on the market.

We have performed initial tests against sites that were monitored by the locaweb’s log analysis system and also google analytics. Both had nothing anomalous – apparently, they “sanitized” the user-agent as you can see in the images below.

In our second test stage we will effect tests using the User-agent in various different ways, with hexa encode among other methods, having again as base locaweb’s system and google analytics and, taking this opportunity, will also assemble in our lab an awstats to check how it will behave (we have in mind around 30 different User-Agents).

Sincerely we do not regard the XSS in the User-Agent as a great threat since we do not know exactly how the logs web analysis systems make the parser of the user-agent field or if the target is another one but will keep on researching and monitoring environments.

What do you think? What would be the targets for the XSS in the User-Agent? Have you already caught a weird User-Agent in your logs? In case you have faced a similar situation please get in touch with us. Please follow-up next post with test results.

N-Stalker Research Team