RPO

Relative Path Overwrite

Basic Concepts

Ways an application can load the CSS file

<!-- using the full path to the CSS file  -->
<link   href="http://example.com/style.css"   rel="stylesheet"   type="text/css"/>

<!-- using root dir of the CSS file -->
<link   href="/style.css"   rel="stylesheet"   type="text/css"/>

<!--  using a relative path  -->
<link   href="style.css"   rel="stylesheet"   type="text/css"/>

Quirks mode

Handles the poorly coded websites.

If quirks mode is enabled the browser will ignore the “content-type” of a file when processing it.

• EX: parsing the HTML file as if it's a CSS file.

Exploitation RPO

Prerequisites

Meet all the following requirements to exploit RPO.

Vulnerable Code Snippet

Meeting requirements:

¯\_(ツ)_/¯

Swap Tabs

Path reflection

The “okay/” path is displayed on the page.

Quirks mode

The “document type” tag is missing from the HTML source.

Wildcard path

The “/home/okay/” resolves to the same page as “/home”.

Relative Path

When changing the URL to “/home/okay/”, the “Link” tag tries to import its stylesheet from “/home/okay.style.css”

After meeting all requirements, try to inject CSS code to turn the font red so we now know the target is vulnerable:

EX: %0A{}*{color:red;}///

Impact

Low severity finding.

• XSS, web defacement, and extracting sensitive data.