An Overview Of a Relative Path Overwrite Vulnerability Or Attack
By Tom Seest
Relative path overwrite attacks are a type of cross-site scripting. These attacks can be used to steal sensitive information from a third-party site or make unauthorized transactions. This type of attack targets both unauthorized and authorized users of a website. The attacker can trick the victim into clicking on a crafted link or a social engineering technique, such as search engine poisoning.
This photo was taken by Mikhail Nilov and is available on Pexels at https://www.pexels.com/photo/power-on-and-off-switch-on-wall-7663143/.
Table Of Contents
This vulnerability exists in the way that browsers parse CSS. This means that it is easy for attackers to use relative paths to exploit vulnerable pages. They can inject style directives into the URL or cookie, and the page will reflect the changes. The exploits require no markup or script injection and can even take place in an arbitrary location. This vulnerability is caused by the fact that browsers do not have a base HTML tag that tells them to expand relative paths.
Style directive injection is less severe than script injection, but it still allows attackers to target websites. It is estimated that 9% of sites in the Alexa top 10,000 have a vulnerable page. Of these, more than a third are exploitable.
This photo was taken by Michael Steinberg and is available on Pexels at https://www.pexels.com/photo/close-up-of-coin-318820/.
Relative path overwrite is an attack that exploits a flaw in the way browsers interpret relative paths to inject malicious CSS styles. The attack was first discovered by Gareth Heyes in 2014. It relies on a weakness in how browsers interpret relative paths to overwrite resources and payloads with malicious content. It is especially effective because it can be used to inject arbitrary CSS styles. However, this attack is not a perfect solution. Some browsers will fail to load relative-path resources or will misbehave due to a trailing slash.
Relative path overwrite attacks are relatively recent and take advantage of differences in browsers and servers. Using this technique, an attacker can inject CSS into a web page by making the page refer to itself as a stylesheet. This allows the attacker to execute a variety of attacks, including rewriting a page’s content or hijacking a user account.
This photo was taken by Anete Lusina and is available on Pexels at https://www.pexels.com/photo/crop-cyber-spy-typing-on-computer-keyboard-while-hacking-system-5240544/.
If you want to disable ‘Quirks Mode’ on a web page, you can use the frame-ancestors directive. This directive specifies the origins of the frames that are allowed to load. It is the replacement for X-Frame-Options, which is deprecated.
Quirks mode rendering is caused by the presence of certain document types which are not declared by the user’s browser. The following table shows the types of documents that cause all browsers to render in quirks mode. The sites that contain at least one of these documents are listed below.
‘Quirks Mode’ is enabled when a page references itself as a stylesheet. The “stylesheet” actually consists of an HTML document. When a browser requests a page with an “explicit” value in the X-UA-CompatibleHTTP header, it returns the HTML document content type. However, browsers in quirks mode ignore the content type and inclusion context and render the document as an HTML document.
This photo was taken by Moose Photos and is available on Pexels at https://www.pexels.com/photo/photo-of-two-teal-and-pink-leather-crossbody-bags-1038000/.