PCI v3.2-6.5.7
CAPEC-19
CWE-20
HIPAA-164.308(a)
ISO27001-A.14.2.5
WASC-8
OWASP 2013-A3
OWASP 2017-A7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Tag Hijacking

Severity:
Medium
Summary

Invicti detected that it's possible to control the href attribute of base tag in the HTML. base tag allows an attacker to control the base path for all of the resources, this can allow an attacker to load external scripts and resources to execute JavaScript on the context of the page hence the impact would be same with a cross-site scripting attack. Cross-site scripting allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.

This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.

Impact

Depending on the content of the page this vulnerability might not be directly exploitable. When it's exploitable there are many different attacks that can be leveraged through the use of cross-site scripting, including:

  • Hijacking user's active session.
  • Mounting phishing attacks.
  • Intercepting data and performing man-in-the-middle attacks.

Remediation

Do not allow user input to control the base tag. Whitelist it if the dynamic usage is necessary. Content-Security-Policy (CSP) base-uri directive can also help you prevent to change the <base> tag element. The base-uri directive defines the URIs that a user agent may use as the document base URL.

Content-Security-Policy: base-uri 'self'

Required Skills for Successful Exploitation
Actions To Take
Vulnerability Index

You can search and find all vulnerabilities

Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Featured resources

Blog

Strengthening enterprise application security: Invicti acquires Kondukto

Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Blog

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Blog

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Blog

What lies ahead for CMS.

Blog

How to integrate CMS with other tools.

Blog

Improve user experience through CMS.

Blog

How CMS can benefit e-commerce.

Blog

Stay updated on CMS trends.

Blog

Tips for improving CMS performance.

Blog

Learn how to secure your CMS.

Blog

Explore the advantages of CMS.

Blog

A comprehensive guide to CMS.

Build your resistance to threats. And save hundreds of hours each month.