Baptiste MOINE
#SysAdmin driven by curiosity ~ #InfoSec involved student ~ Keen interest in team-based security challenges ~ 0x860B5424
Baptiste MOINE <contact@bmoine.fr>
@Creased_
~$> whois bmoine.fr
%%
%% Please contact Baptiste MOINE <contact@bmoine.fr> to obtain more information about me.
%%
contact: Baptiste MOINE
country: FR
e-mail: contact@bmoine.fr
website: https://www.bmoine.fr
website: https://git.bmoine.fr
website: https://twitter.com/Creased_
motto: Learning is Endless
status: ACTIVE
last-update: 1s ago
trouble: Information: https://www.bmoine.fr
trouble: Questions: mailto:contact@bmoine.fr
trouble: Spam: rm -rf / 2>/dev/null
Relative Path Overwrite XSS
1
Relative Path Overwrite XSS
3
Relative Path Overwrite XSS
4
scheme://user:password@host:port/path?query#fragment
scheme://host/path%2F
scheme://host/path/
≠
Relative Path Overwrite XSS
5
scheme://host/path?query#fragment
otherpath?query#fragment
scheme://host/path
scheme://host/path?query#fragment
scheme://host/otherpath?query#fragment
Relative Path Overwrite XSS
6
Relative Path Overwrite XSS
7
Relative Path Overwrite XSS
8
Relative Path Overwrite XSS
9
Client-side URL | Browser process |
---|---|
https://vps.bmoine.fr/upload/../ |
Change URL to https://vps.bmoine.fr/
|
https://vps.bmoine.fr/upload/..%2F |
Keep URL as-is ( https://vps.bmoine.fr/upload/..%2F ) |
Server-side URL | HTTP server process |
---|---|
https://vps.bmoine.fr/ |
Return default index from the location (https://vps.bmoine.fr/ ) |
https://vps.bmoine.fr/upload/..%2F |
Standardize location (remove dot-segments, but without redirection) then return default index from the location (https://vps.bmoine.fr/ ) |
The browser keeps the dots-segments since they use urlentities, but the HTTP server decodes them...
Baptiste MOINE <contact@bmoine.fr>
@Creased_
By Baptiste MOINE
Relative Path Overwrite XSS presentation
#SysAdmin driven by curiosity ~ #InfoSec involved student ~ Keen interest in team-based security challenges ~ 0x860B5424