Bug 99318 - CSP and <base> Tag Injection
Summary: CSP and <base> Tag Injection
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mike West
URL:
Keywords:
Depends on:
Blocks: 113307
  Show dependency treegraph
 
Reported: 2012-10-15 06:13 PDT by Ashar Javed
Modified: 2013-03-26 06:58 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ashar Javed 2012-10-15 06:13:21 PDT 
Hi,

Even if site is using 'self' CSP policy for all types of resources, attacker can still inject <base> tag and CSP can not stop it. e.g.,

On testing environment: http://www.mobilefuxx.de/csp/xsstest/test_unsafe.php , you may set the following CSP header as an example:

default-src 'self';

and in the allowed injection area, inject:

<BASE HREF="http://www.google.com/logos/">
<img src="classicplus.png">

Now click "Submit Attack" button ... nothing happens but behind the scene chrome has changed the base URL. You can see the new URL by clicking the "Submit Attack" button again and the URL now you have is:

http://www.google.com/csp/xsstest/test_unsafe.php

I think or I would like to suggest that CSP 1.1 would have also base-src 'self' directive in order to stop base tag injection. At the same time I would also like to point out few posts related to base tag and how attacker can use this to ex-filtrate information. Thanks!

http://lcamtuf.coredump.cx/postxss/
http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/
http://avuko.net/

Thanks!
Comment 1 Adam Barth 2012-10-15 09:23:15 PDT 
That's a good idea.  Would you be willing to email this information to the public-webappsec mailing list?  That's the appropriate forum for proposing features for CSP 1.1.

Thanks!
Comment 2 Ashar Javed 2012-10-15 09:24:48 PDT 
Hi Adam,

Thanks for information.

I will do that. Thanks!

Best,

(In reply to comment #1)
> That's a good idea.  Would you be willing to email this information to the public-webappsec mailing list?  That's the appropriate forum for proposing features for CSP 1.1.
> 
> Thanks!
Comment 3 Mike West 2012-10-23 14:35:48 PDT 
> (In reply to comment #1)
> > That's a good idea.  Would you be willing to email this information to the public-webappsec mailing list?  That's the appropriate forum for proposing features for CSP 1.1.
> > 
> > Thanks!

I've just put together a test at https://mkw.st/p/mixed/base.html and can't reproduce your result, Ashar. Could you put up a sample that exhibits the problem (or did I screw up my test?)?

Thanks!
Comment 4 Ashar Javed 2012-10-24 00:51:37 PDT 
Hi Mike,

I have just tested this again and it works in Chrome Stable version but in Canary it does not work.

In Chrome Stable the URL http://www.mobilefuxx.de/csp/xsstest/test_unsafe.php becomes http://www.google.com/csp/xsstest/test_unsafe.php

Steps to Reproduce
-----------------

1) In Chrome Stable open: http://www.mobilefuxx.de/csp/xsstest/test_unsafe.php

Set header 'self' and in the text area inject:

<BASE HREF="http://www.google.com/logos/">
<img src="classicplus.png">

Click "Submit Attack" button.

Behind the scene in Chrome Stable the base URL which is mobilefuxx has been changed to google. You can see this by clicking on the button(Submit Attack) again.

I hope it helps. Thanks!




(In reply to comment #3)
> > (In reply to comment #1)
> > > That's a good idea.  Would you be willing to email this information to the public-webappsec mailing list?  That's the appropriate forum for proposing features for CSP 1.1.
> > > 
> > > Thanks!
> 
> I've just put together a test at https://mkw.st/p/mixed/base.html and can't reproduce your result, Ashar. Could you put up a sample that exhibits the problem (or did I screw up my test?)?
> 
> Thanks!
Comment 5 Mike West 2012-11-08 02:43:39 PST 
Great. Looks like this is fixed in trunk, then.