RPO
Relative Path Overwrite
Basic Concepts
Ways an application can load the CSS file
<!-- using the full path to the CSS file -->
<link href="http://example.com/style.css" rel="stylesheet" type="text/css"/>
<!-- using root dir of the CSS file -->
<link href="/style.css" rel="stylesheet" type="text/css"/>
<!-- using a relative path -->
<link href="style.css" rel="stylesheet" type="text/css"/>Quirks mode
Handles the poorly coded websites.
If quirks mode is enabled the browser will ignore the “content-type” of a file when processing it.
EX: parsing the HTML file as if it's a CSS file.
Exploitation RPO
Prerequisites
Meet all the following requirements to exploit RPO.
Vulnerable Code Snippet
Meeting requirements:
Swap Tabs
The “okay/” path is displayed on the page.
The “document type” tag is missing from the HTML source.
The “/home/okay/” resolves to the same page as “/home”.
When changing the URL to “/home/okay/”, the “Link” tag tries to import its stylesheet from “/home/okay.style.css”
After meeting all requirements, try to inject CSS code to turn the font red so we now know the
target is vulnerable:
EX: %0A{}*{color:red;}///
Impact
Low severity finding.
XSS, web defacement, and extracting sensitive data.
Last updated