(Relative Path Overwrite) RPO XSS

Welcome Readers,

As I promised this post is exclusively written for RPO (Relative Path Overwrite) XSS. Lets understand what is RPO and  how it can be exploited with XSS.

RPO XSS Introduction

The RPO (Relative path overwrite XSS) is publicized by Gareth Heyes in 2014. This attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a style sheet, when it contains both path-relative style sheets and attacker-controllable contents.

          In the Relative path overwrite XSS we will first understand difference between relative and absolute path. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
Example: Absolute URL:   https://thehacker.co.in/test
               Relative URL:    test/some_subdirectory
The relative URL shown will look for ‘test’ and automatically include the domain before it based on the current domain name. There are two important variations of a relative URL, the first is we can use the current path and look for a directory within it such as “abc” or use common directory traversal techniques such as “../../abc”.

Description and Attack scenario

RPO XSS attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a style sheet, when it contains both path-relative style sheets and attacker-controllable contents.
We have seen the difference between actual path and relative path. Now let’s demonstrate this finding.
To exploit this findings three things are necessary,
1) stored XSS that allows CSS injection.
2) URL Rewriting.
3) Relative addressing to CSS style sheet.

To check the RPO hit the below url,
www.webdevelopersnotes.com/graphics/index.php3

Mighty XSS (Basics of Cross Site Scripting)

Welcome Readers,

In the last post I talked about mXSS. In this post we will cover about XSS type and various XSS attack.
First of all what is XSS and why it is considered so danger and have third place in OWASP top 10. Lets decode this jargon.
As name suggest XSS (Cross Site Scripting) is some form of script/code that attacker use for malicious purpose.Our web applications have multiple input fields like forms, comment box, email, upload field etc etc.
These are the entry points where user suppose to enter valid information. but think as a hacker what if we can write some script/code in the comment box of web application and on posting that comment on site gives some different output than expected.
Take an example there is a bank website and on home page there is search box present to search bank related information on that website.

Mutation XSS

Hello Friends,

Welcome back :) Today I'm sharing my research on mutation cross site scripting. On studying and reading lot of stuff finally decided to write article about mXSS. I hope you will find it useful.

Mutation Cross site scripting (mXSS)

The New class of XSS vector, the class of mutation based XSS (mXSS) vector discovered by Mario Heiderich. This mXSS may occur in innerHTML. This vulnerability affects major browsers like IE, Firefox, Chrome etc.

Famous applications like Yahoo, Rediff mails, Zimbra etc like commercial products were vulnerable to mXSS. This type of XSS vectors managed to bypass widely deployed server side XSS protections tecniques like HTML purifier, Kses, htmlLawed etc. and client side filters like XSS auditor, IE XSS filter, WAF systems, IDS and IPS.

Introduction

The mXSS is an XSS vector that is mutated from safe state to unsafe unfiltered state. Server- and client-side XSS filters share the assumption that their HTML output and the browser-rendered HTML content are mostly identical. The most common form of mXSS is from incorrect reads of innerHTML. The user provided content is mutated by the browser, such that a harmless string passes nearly all XSS filters is ultimately transformed into active XSS attack vector by the browser.