[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: <BASE> tag used for hijacking external resources (XSS)

I see what you mean. But unless it's a vulnerability in itself it's
not a security issue but a violation of standards - which is not such
a bad thing, but just following the principle of being strict in what
you generate and flexible in what you receive, to maximize
compatibility. In fact that would make it a feature rather than a bug.

Another way to see it: if you require the ability to inject HTML
content in order to inject HTML content, you're not getting any more
than you already have, so by definition it's not a vulnerability.
That's why you need something like a poorly implemented XSS filter to
consider this a vulnerability (having the ability to inject *some*
content, gain the ability to inject *any* content). But even in that
case it'd be a vulnerability of the XSS filter rather than the

On Fri, Dec 16, 2011 at 10:44 PM, Bouke van Laethem
<vanlaethem@xxxxxxxxx> wrote:
> On Fri, Dec 16, 2011 at 9:59 PM, Mario Vilas <mvilas@xxxxxxxxx> wrote:
>> Makes sense as a trick to bypass some crappy XSS filters that look for
>> strings like "javascript:", but I don't think it's a vulnerability in
>> itself.
> I would consider it a browser bug (although I agree it would mostly be
> abused through bypassing what you refer to as "crappy XSS filters"),
> because the browsers are going too far out of their way to parse
> invalid html.
> From http://www.w3.org/TR/html4/struct/links.html#h-12.4:
> When present, the BASE element must appear in the HEAD section of an
> HTML document, before any element that refers to an external source.
> The path information specified by the BASE element only affects URIs
> in the document where the element appears.
> w3.org doc also refers to RFC1080, http://www.ietf.org/rfc/rfc1808.txt:
> 10, Appendix:
> [...]
> HTML defines a special element "BASE" which, when present in the
> "HEAD" portion of a document, signals that the parser should use the
> BASE element's "HREF" attribute as the base URL for resolving any
> relative URLs.  The "HREF" attribute must be an absolute URL.

“There's a reason we separate military and the police: one fights the
enemy of the state, the other serves and protects the people. When the
military becomes both, then the enemies of the state tend to become
the people.”