CSP and <base> Tag Injection + Suggestion for New CSP Directive "base-src" in CSP 1.1

Hi,

Even if site is using 'self' CSP policy for all types of resources,
attacker can still inject *<base>* tag and CSP can not stop it. e.g.,

On testing environment:
http://www.mobilefuxx.de/csp/xsstest/test_unsafe.php, you may set the
following CSP header as an example:

default-src 'self';

and in the allowed injection area, inject:

<BASE HREF="http://www.google.com/logos/">
<img src="classicplus.png">

Now click "*Submit Attack*" button ... nothing happens but behind the scene
chrome has changed the base URL. You can see the new URL by clicking
the "*Submit
Attack*" button again and the URL now you have is:

http://www.google.com/csp/xsstest/test_unsafe.php

I think or I would like to suggest that CSP 1.1 would have also *base-src
'self' directive* in order to stop base tag injection. At the same time I
would also like to point out few posts related to base tag and how attacker
can use this to ex-filtrate information. Thanks!

http://lcamtuf.coredump.cx/postxss/
http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/
http://avuko.net/

Reference Bug: https://bugs.webkit.org/show_bug.cgi?id=99318

Thanks!

Best Regards,

ashar

Received on Monday, 15 October 2012 16:35:03 UTC