Relative Path Overwrite (RPO) is a new attack vector discovered by Gareth Heyes, a renowned web application researcher. Relative Path Overwrite exploits the way browsers interpret relative paths while importing CSS files into a document, hence this attack is also referred to as Path Relative Stylesheet Import (PRSSI). If you’re not aware of relative and absolute path URL CSS import, then let’s have a quick look at:
Relative path import:
<link href=”resource/rpo.css” rel=”stylesheet” type=”text/css”/>
Absolute path import:
<link href=”https://sandbox.prakharprasd.com /resource/rpo.css”
Here, the rpo.css file contains the following:
In the absolute path, we see a full and complete reference to the CSS file, the URL starts with the protocol handler and ends with the file. However, in the relative path, only the directory or file information is sufficient, the browser looks for the file in the same path directory as the current document.
For example, if the document was loaded at https://sandbox.test. com/rpo/ then the CSS will be loaded from https://sandbox.test.com/rpo/resource/rpo.css in the case of the relative path.
As with many other vulnerabilities, the risks involved vary from case to case. If the affected page includes any data under the attacker’s control, it’s possible to inject CSS, which in turn enables the attacker to fool the victim into carrying out undesired actions.