0

I've seen 

<base href=/\evil>

and 

 <base href=//0>

as a vector to use XSS. Could someone make an example using these vectors and explain me if "/\" is the same as http:// or has some special meaning?

Thanks.

Improve this question

    2 Answers 2

    Reset to default
    1

    // is just the start of a protocol-relative URL. From this site, //google.com would take you to https://google.com. From a plain old http site, //google.com would take you to http://google.com (which would likely bounce you to the https site, but that's not tangential).

    The tag itself will set your relative URL interpretation to another domain. so with that above base tag in effect, <a href=/login>Login</a> on your site would not take you to your login page, it would take you to http://google.com/login. While google is benign, you can see the potential problem.

    In terms of your exact question, I'm not sure what the point of either example you provide is, as-shown, other than just to break your site's links. A malicious use would have to list another destination in the base tag. to be of use.

    Improve this answer
      0

      The <base> tag is used to change relative URLs to point to an evil twin site as the accepted answer points out, but there are caveats worth adding.

      Let's assume the following code is on https://mysite.com and the base tag is injected as shown. The login link will then resolve to https://eviltwin.com/login.php instead of https://mysite.com/login.php

      <head> <base href="https://eviltwin.com"> </head> <body> <a href="/login.php">Login</a> </body>

      Because the <base> tag has to be inside the <head> tag, there are very few use cases where a hacker has access to the right part of the code to exploit this vulnerability. In general, if you have enough control to inject header code, you are either doing a man-in-the-middle attack on an unencrypted (http) connection, or you have access to rewrite someone's whole website. In either case, rewriting the base tag for an XSS attack is sort of a waste of how much control the hacker already has. It would be better (from a hackers point of view) to just inject the malicious code directly into the page. This would prevent a number of scenarios that could alert the user that something is wrong.

      The rest of the the stuff is probably just meant as a placeholder, but in the right context is also exploitable.

      In some instances /\0 or //0 will interpret as //0.0.0.0 which means "no particular address", but in other cases, going to IP 0.0.0.0 may initiate a default behavior which is exploitable such as https://nvd.nist.gov/vuln/detail/CVE-2018-1281. Using the less common /\0 instead of //0.0.0.0 could also help bypass validation.

      See: https://en.wikipedia.org/wiki/0.0.0.0 for more details on 0.0.0.0 behaviors.

      Improve this answer

        You must log in to answer this question.

        Start asking to get answers

        Find the answer to your question by asking.

        Ask question

        Explore related questions

        See similar questions with these tags.