Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

User agent code injection

  1. Home
  2. Forum
  3. Web hacking
  4. User agent code injection

ghost's Avatar

ghost

0 0

I remember reading a post a while back about injecting code through your user agent, but the OP wasn't sure how, and the other day I realized a lot of sites that tell you your IP address also tell you your browser name. As it turns out, most of the sites I checked executed the script I put in the user agent string. Amusingly, when I searched for sites that detect what browser you're using, they mostly seemed pretty well sanitized, which seemed a bit backwards… Does anyone know if this is the only place this could be useful (if that even qualifies as useful), or does code injection through a user agent have any real applications?


ADIGA's Avatar

ADIGA

Member
0 0

User agent injection can be used in 2 places mainly… 1- if the webpage or script stores data into a database. 2- if some logs ae kept in html format or stored in a file the displayed in an html page.

the best thing in order to check if a scripts does not handle that very good is to download the script source and check what kind of filtering and storing it does with the user agent.

also another good thing that some devs miss filtering is refferer, as some scripts do store what pages or urls sent you to the website.

as said before, download the script and see what filtering applies.