Gareth Heyes (@garetheheyes) discovered a new type of vulnerability which is extremely lethal because it is still relatively unknown and many developers don’t know how to validate input to protect applications.
I find it very strange that this vulnerability was disclosed some years ago and it still remains very unpopular.
You can see Gareth’s amazing post about his new find in:
http://www.thespanner.co.uk/2014/03/21/rpo/
I decided to write a tool to find these vulnerabilities quickly, because most scanners do not detect RPOs. Burp’s scanner does detect it but only in the Professional and Enterprise versions; the free version does not.
You can find the tool in:
http://github.com/tr3w/RPOwn
Here are some resources to very clever research about RPO exploitation:
https://www.mbsd.jp/Whitepaper/rpo.pdf
https://soroush.me/blog/2015/02/non-root-relative-path-overwrite-rpo-in-iis-and-net-applications/
Since RPO exploitation is mainly done by scriptless attacks, I decided to post some links to amazing resources describing different methods to perform such attacks:
@sirdarckcat‘s attribute reader:
http://eaea.sirdarckcat.net/cssar/v2/
@kinugawamasato text node reader:
https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html
@SecurityMB font ligatures:
https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/
@SecurityMB Data exfiltration in Firefox via single injection point:
https://research.securitum.com/css-data-exfiltration-in-firefox-via-single-injection-point/#:~:text=Firefox%20and%20stylesheet%20processing
Pepe Vila recursive imports technique:
https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231
@d0nutptr recursive import exfiltration tool:
https://github.com/d0nutptr/sic
Mario Heiderich presentation on scriptless attacks:
https://www.slideshare.net/x00mario/stealing-the-pie