(Relative Path Overwrite) RPO XSS

Welcome Readers,

As I promised this post is exclusively written for RPO (Relative Path Overwrite) XSS. Lets understand what is RPO and  how it can be exploited with XSS.

RPO XSS Introduction

The RPO (Relative path overwrite XSS) is publicized by Gareth Heyes in 2014. This attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a style sheet, when it contains both path-relative style sheets and attacker-controllable contents.

          In the Relative path overwrite XSS we will first understand difference between relative and absolute path. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
Example: Absolute URL:   https://thehacker.co.in/test
               Relative URL:    test/some_subdirectory
The relative URL shown will look for ‘test’ and automatically include the domain before it based on the current domain name. There are two important variations of a relative URL, the first is we can use the current path and look for a directory within it such as “abc” or use common directory traversal techniques such as “../../abc”.

Description and Attack scenario

RPO XSS attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a style sheet, when it contains both path-relative style sheets and attacker-controllable contents.
We have seen the difference between actual path and relative path. Now let’s demonstrate this finding.
To exploit this findings three things are necessary,
1) stored XSS that allows CSS injection.
2) URL Rewriting.
3) Relative addressing to CSS style sheet.

To check the RPO hit the below url,
www.webdevelopersnotes.com/graphics/index.php3

Mighty XSS (Basics of Cross Site Scripting)

Welcome Readers,

In the last post I talked about mXSS. In this post we will cover about XSS type and various XSS attack.
First of all what is XSS and why it is considered so danger and have third place in OWASP top 10. Lets decode this jargon.
As name suggest XSS (Cross Site Scripting) is some form of script/code that attacker use for malicious purpose.Our web applications have multiple input fields like forms, comment box, email, upload field etc etc.
These are the entry points where user suppose to enter valid information. but think as a hacker what if we can write some script/code in the comment box of web application and on posting that comment on site gives some different output than expected.
Take an example there is a bank website and on home page there is search box present to search bank related information on that website.