AnsweredAssumed Answered

Reflected XSS (User-Agent & Referer) HTTP Header

Question asked by Gan Cheng Yee on Jul 28, 2013
Latest reply on Aug 8, 2013 by jkent

Hi there,


I am currently trying to validate a result from a Qualys scan and is trying to understand the result and if possible PoC it.


It seems from my understanding that by manipulating the Referer Header, the payload is being injected into the vuln web application.


The response from the scan is something as follow:



#1 Referer: http://localhost/%22%20onEvent%3DX165528268Y0Z%20

#2 Cookie: .........



<input name="startText_month" type="text" size="2" maxlength="2" style="ime-mode:disabled" onfocus="setRadio(2)" value="" onEvent=X2980548536Y5Z ">


My question is i tried doing the samething but did not get the same result. I tried running the web app behind a proxy and manipulating the Referer header and by appending '%22%20onEvent%3DX165528268Y0Z%20' to the end of the link under but still do not see the response when i try to search it with Firebug. I am trying to understand more on how did Qualys derive the response and if possible replay it. I believe the question with User-agent will be answered too similarly.


Thanks in advance for ur answers.