Gareth Heyes (@garetheheyes) discovered a new type of vulnerability which is extremely lethal because it is still relatively unknown and many developers don't know how to validate input to protect against this attack.
It makes it possible to inject CSS code anywhere in the page without having to use <style> tags. In fact, there is no need to use angle braces (< >) nor any HTML tag.
I find it very strange that this vulnerability was disclosed some years ago and it still remains very unpopular.
You can see Gareth's amazing post about his new find in:
http://www.thespanner.co.uk/2014/03/21/rpo/
This vulnerability is also documented in PortSwigger:
https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities
I decided to write a tool to find these vulnerabilities quickly, because most scanners do not detect RPOs. Burp's scanner does detect it but only in the Professional and Enterprise versions; the free version does not.
You can find the tool in:
http://github.com/tr3w/RPOwn
Here are some resources to very clever research about RPO exploitation:
https://www.mbsd.jp/Whitepaper/rpo.pdf
Soroush Dalili discovered a super clever technique to exploit this vulnerability that greatly increases its attack surface.
https://soroush.me/blog/2015/02/non-root-relative-path-overwrite-rpo-in-iis-and-net-applications/
Since RPO exploitation is mainly done by scriptless attacks, I decided to post some links to amazing resources describing different methods of performing scriptless attacks:
@sirdarckcat's attribute reader:
http://eaea.sirdarckcat.net/cssar/v2/
@kinugawamasato text node reader:
https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html
@SecurityMB font ligatures:
https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/
@SecurityMB Data exfiltration in Firefox via single injection point:
https://research.securitum.com/css-data-exfiltration-in-firefox-via-single-injection-point/#:~:text=Firefox%20and%20stylesheet%20processing
Pepe Vila recursive imports technique:
https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231
@d0nutptr recursive import exfiltration tool:
https://github.com/d0nutptr/sic
Mario Heiderich presentation on scriptless attacks:
https://www.slideshare.net/x00mario/stealing-the-pie