Relative Path Overwrite XSS

Baptiste MOINE <contact@bmoine.fr>

@Creased_

Who am I?

Relative Path Overwrite XSS

1

XSS

• Cross-Site Scripting (XSS)
• Send malicious script through web application
• Control the victim’s browser

Relative Path Overwrite XSS

3

URI in a nutshell

• RFC-3986 - Uniform Resource Identifier (URI): Generic Syntax
• Consists of a hierarchical sequence of segments and subsegments

 

 

• Segments are delimited by characters in a "reserved" set
• Segment-wide data characters could be be percent-encoded to prevent conflicts
• As per RFCs:

Relative Path Overwrite XSS

4

≠

Relative Path

• Absolute path:
   
• Relative path (other path):
   
• Relative path component resolution:
  • Retrieve absolute path:
     
  • Canonicalize and retrieve base URI:
     
  • Recompose the component's target URI

Relative Path Overwrite XSS

5

Relative Path Overwrite

Relative Path Overwrite XSS

6

Relative Path Overwrite

Relative Path Overwrite XSS

7

Relative Path Overwrite

Relative Path Overwrite XSS

8

Huh?

Relative Path Overwrite XSS

9

Client-side URL	Browser process
https://vps.bmoine.fr/upload/../	Change URL to https://vps.bmoine.fr/
https://vps.bmoine.fr/upload/..%2F	Keep URL as-is (https://vps.bmoine.fr/upload/..%2F)

Server-side URL	HTTP server process
https://vps.bmoine.fr/	Return default index from the location (https://vps.bmoine.fr/)
https://vps.bmoine.fr/upload/..%2F	Standardize location (remove dot-segments, but without redirection) then return default index from the location (https://vps.bmoine.fr/)

The browser keeps the dots-segments since they use urlentities, but the HTTP server decodes them...

Go further

https://www.bmoine.fr/#rpo

Baptiste MOINE <contact@bmoine.fr>

@Creased_