- From: Ashar Javed <justashar@gmail.com>
- Date: Mon, 15 Oct 2012 18:32:26 +0200
- To: public-webappsec@w3.org
- Cc: Adam Barth <abarth@webkit.org>
- Message-ID: <CAD5mSqWRg665Ng5HRS07PkRAeNUCe_zTe3z5hpbVq7UL5mPc4A@mail.gmail.com>
Hi, Even if site is using 'self' CSP policy for all types of resources, attacker can still inject *<base>* tag and CSP can not stop it. e.g., On testing environment: http://www.mobilefuxx.de/csp/xsstest/test_unsafe.php, you may set the following CSP header as an example: default-src 'self'; and in the allowed injection area, inject: <BASE HREF="http://www.google.com/logos/"> <img src="classicplus.png"> Now click "*Submit Attack*" button ... nothing happens but behind the scene chrome has changed the base URL. You can see the new URL by clicking the "*Submit Attack*" button again and the URL now you have is: http://www.google.com/csp/xsstest/test_unsafe.php I think or I would like to suggest that CSP 1.1 would have also *base-src 'self' directive* in order to stop base tag injection. At the same time I would also like to point out few posts related to base tag and how attacker can use this to ex-filtrate information. Thanks! http://lcamtuf.coredump.cx/postxss/ http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/ http://avuko.net/ Reference Bug: https://bugs.webkit.org/show_bug.cgi?id=99318 Thanks! Best Regards, ashar
Received on Monday, 15 October 2012 16:35:03 UTC