RPO

Relative Path Overwrite

Basic Concepts

Ways an application can load the CSS file

<!-- using the full path to the CSS file  -->
<link   href="http://example.com/style.css"   rel="stylesheet"   type="text/css"/>

<!-- using root dir of the CSS file -->
<link   href="/style.css"   rel="stylesheet"   type="text/css"/>

<!--  using a relative path  -->
<link   href="style.css"   rel="stylesheet"   type="text/css"/>

Quirks mode

Handles the poorly coded websites.

If quirks mode is enabled the browser will ignore the “content-type” of a file when processing it.

• EX: parsing the HTML file as if it's a CSS file.

Exploitation RPO

Prerequisites

Meet all the following requirements to exploit RPO.

Vulnerable Code Snippet

Meeting requirements:

¯\_(ツ)_/¯

Swap Tabs

Path reflection

Quirks mode

Wildcard path

Relative Path

After meeting all requirements, try to inject CSS code to turn the font red so we now know the target is vulnerable:

EX: %0A{}*{color:red;}///

Impact

Low severity finding.

• XSS, web defacement, and extracting sensitive data.