This was to write a PoC for the Microsoft Lync 2010 server which is (quasi)vulnerable to anonymous XSS via the UserHeader (the payload lands inside an Javascript).
This is a known and accepted issue, which has been previously reported and accepted by Microsoft and in 2014 is much harder to exploit:
- Microsoft Lync Server 2010: Remote Code Execution/XSS - User Agent Header
- Microsoft Lync 'User-Agent' Cross Site Scripting Vulnerability
- Is it possible to exploit XSS inside User-Agent header
Here are the PoCs I wrote (also on this gist (embedded below))
1. Direct Request using System.Net.WebClient:
2. Using WebBrowser Control
3.Using Watin.cs
PoCs code:
