I was about to try injecting the UserAgent string in, because thats usually what is used to detect the browsert version. However, before I was to do that, I notice it was running ASPX (ASP.NET) and there is a page that checks the security (browser version). I went to take a look at my UserAgent with : javascript:alert(navigator.userAgent) and found that I had .Net 1 to 3.5 there. Now, you can imagine how long the UserAgent string is.
That was what stucked me. I when ahead and "customized" my UserAgent. Guess what, I was in the time management software again. So what apparently happened was, they check the browser based on the UserAgent. But they had specified a much too small buffer to read it in. I guess we can assumed it caused a buffer overflow, however, ASP.NET will handle it nicely and the result being error in the string reading. That cause a mismatch of my IE6 version which ultimately booted me out of the software claiming I do not have IE6.
What worries me is that its common for people will additional software to have such a long UserAgent. And if applications are not designed to play nice with these, it can cause lots of problems such as a DoS from the application if I made everyone in the company have long UserAgent string. While checking for browser version is good, I believe its necessary to update the routines for newer browsers such as Chrome and other newer dot net frameworks. After this small experience, I tried with a long UserAgent on several other sites and application and found many not able to handle it. To the worse cause, I even managed to cause a few which is not using dot net framework.
No comments:
Post a Comment