Base Tag Hijacking

  • CAPEC 19
  • WASC 8
  • PCI 3.2-6.5.7

Attackers can control the href attribute of a <base> tag in HTML. This means that resources (e.g. images, scripts) can be loaded from a attacker controlled domain and can be executed on the context of the page. This vulnerability's impact is almost the same as that of a cross-site scripting vulnerability.


Validate user input not to control the base tag. Content-Security-Policy (CSP) base-uri directive can also help you prevent to change the <base> tag element. The base-uri directive defines the URIs that a user agent may use as the document base URL.

Content-Security-Policy: base-uri 'self'