Relative Path Overwrite Attack

  • 167
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    167
    Shares

Relative Path Overwrite (RPO) is a new attack vector discovered by Gareth Heyes, a renowned web application researcher. Relative Path Overwrite exploits the way browsers interpret relative paths while importing CSS files into a document, hence this attack is also referred to as Path Relative Stylesheet Import (PRSSI). If you’re not aware of relative and absolute path URL CSS import, then let’s have a quick look at:

Relative path import:
<link href=”resource/rpo.css” rel=”stylesheet” type=”text/css”/>
Absolute path import:
<link href=”https://sandbox.prakharprasd.com /resource/rpo.css”
rel=”stylesheet” type=”text/css”/>

Here, the rpo.css file contains the following:

h1 {
font-family: monospace;
color: white;
font-size: 50px;
}
body {
background-color: black;
}

In the absolute path, we see a full and complete reference to the CSS file, the URL starts with the protocol handler and ends with the file. However, in the relative path, only the directory or file information is sufficient, the browser looks for the file in the same path directory as the current document.

For example, if the document was loaded at https://sandbox.test. com/rpo/ then the CSS will be loaded from https://sandbox.test.com/rpo/resource/rpo.css in the case of the relative path.

As with many other vulnerabilities, the risks involved vary from case to case. If the affected page includes any data under the attacker’s control, it’s possible to inject CSS, which in turn enables the attacker to fool the victim into carrying out undesired actions.

If it’s possible to get JavaScript within CSS, it’s also possible to turn this into an XSS. Read more about XSS here.

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply