[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: <BASE> tag used for hijacking external resources (XSS)

Makes sense as a trick to bypass some crappy XSS filters that look
forstrings like "javascript:", but I don't think it's a vulnerability
in itself.

On Fri, Dec 16, 2011 at 5:20 PM, Jann Horn <jannhorn@xxxxxxxxxxxxxx> wrote:
> 2011/12/15 Bouke van Laethem <vanlaethem@xxxxxxxxx>:
> > ISSUE:
> > The <base> tag is parsed outside of <head></head>. This can lead to
> > the base being reset, both before and after the <base> tag being
> > injected, depending on browser types and versions. As a result, images
> > and javascript can be loaded from an attackers domain, and forms and
> > hyperlinks point to the attackers domain.
> Erm... so you're basically assumint that the attacker can inject stuff
> into the page? If that's the case, you should have other issues than
> your links getting altered or so, no? E.g. what about javascript
> injection?

“There's a reason we separate military and the police: one fights the
enemy of the state, the other serves and protects the people. When the
military becomes both, then the enemies of the state tend to become
the people.”