• Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  • Edinburgh: +44 (0)131 541 0118 
  • New York: +1 646-781-7580 
  • Bucharest: +40 316 301 707 
  • Tokyo: +81 (3) 4588 8181 

Add new comment

Robin June 30, 2014

Reply
You're absolutely right that the IP address and UserAgent can be easily obtained through XSS. Spoofing the UserAgent is trivial, but the IP address presents a bit more of a problem, because it's much harder to spoof. You could get around this by doing something like force the victim's browser to make the requests for you (CSRF-style, although anti CSRF tokens will make this tricky), or even tunneling your traffic through their browser session with something like BeEF). These kind of security measure aren't going to stop an attacker with time and knowledge, but they do make it quite a lot harder than just stealing cookies.