Gareth Heyes (@garetheheyes) discovered a new type of vulnerability which is extremely lethal because it is still relatively unknown and many developers don't know how to validate input to protect applications.

I find it very strange that this vulnerability was disclosed some years ago and it still remains very unpopular.

You can see Gareth's amazing post about his new find in:
http://www.thespanner.co.uk/2014/03/21/rpo/

I decided to write a tool to find these vulnerabilities quickly, because most scanners do not detect RPOs. Burp's scanner does detect it but only in the Professional and Enterprise versions; the free version does not.

You can find the tool in:
http://github.com/tr3w/RPOwn

Here are some resources to very clever research about RPO exploitation:

https://www.mbsd.jp/Whitepaper/rpo.pdf

https://soroush.me/blog/2015/02/non-root-relative-path-overwrite-rpo-in-iis-and-net-applications/

Since RPO exploitation is mainly done by scriptless attacks, I decided to post some links to amazing resources describing different methods to perform such attacks:

@sirdarckcat's attribute reader:
http://eaea.sirdarckcat.net/cssar/v2/

@kinugawamasato text node reader:
https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html

@SecurityMB font ligatures:
https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/

@SecurityMB Data exfiltration in Firefox via single injection point:
https://research.securitum.com/css-data-exfiltration-in-firefox-via-single-injection-point/#:~:text=Firefox%20and%20stylesheet%20processing

Pepe Vila recursive imports technique:
https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231

@d0nutptr recursive import exfiltration tool:
https://github.com/d0nutptr/sic

Mario Heiderich presentation on scriptless attacks:
https://www.slideshare.net/x00mario/stealing-the-pie

---

Filed under: Hacking,Web Application Security - @ 2023-08-13 19:06

Tags: gareth, heyes, relative path overwrite, rpo, tool