Published 7 years 10 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read
I tweeted this a while ago but Twitter sucks when it comes to finding anything and I thought it was good enough for a blog post. Way back in Safari 3.0 and Internet Explorer 5.5 and the old Opera you could mess with JavaScript urls and the base tag. Me, Mario and Brainpillow documented this on HTML5 security cheatsheet ages ago. The original vector allows you to use inject a JavaScript url in the base tag and the payload appears in the anchor. But what if we add the payload in the base tag itself then we can rewrite relative and blank urls to a JavaScript payload.
You inject a base tag with your payload:
<base href="javascript:/a/-alert(1)///////">
Notice the forward slashes at the end of the payload, this fools Safari into thinking that they are folders. Then relative urls get converted to JavaScript urls like:
<a href=../lol/safari.html>test</a> <a href>haha</a>
The base url combines with the anchor, even a blank anchor to execute the payload. This works on the latest version of Safari (11.1.2) at the time of the blog post.