Relative Path Overwrite XSS

Baptiste MOINE <contact@bmoine.fr>

@Creased_

Who am I?

~$> whois bmoine.fr
%%
%% Please contact Baptiste MOINE <contact@bmoine.fr> to obtain more information about me.
%%

contact:     Baptiste MOINE
country:     FR
e-mail:      contact@bmoine.fr
website:     https://www.bmoine.fr
website:     https://git.bmoine.fr
website:     https://twitter.com/Creased_
motto:       Learning is Endless
status:      ACTIVE
last-update: 1s ago

trouble:     Information: https://www.bmoine.fr
trouble:     Questions:  mailto:contact@bmoine.fr
trouble:     Spam: rm -rf / 2>/dev/null

Relative Path Overwrite XSS

1

XSS

  • Cross-Site Scripting (XSS)
  • Send malicious script through web application
  • Control the victim’s browser

Relative Path Overwrite XSS

3

URI in a nutshell

 

 

  • Segments are delimited by characters in a "reserved" set
  • Segment-wide data characters could be be percent-encoded to prevent conflicts
  • As per RFCs:

Relative Path Overwrite XSS

4

scheme://user:password@host:port/path?query#fragment
scheme://host/path%2F
scheme://host/path/

Relative Path

  • Absolute path:
     
  • Relative path (other path):
     
  • Relative path component resolution:
    • Retrieve absolute path:
       
    • Canonicalize and retrieve base URI:
       
    • Recompose the component's target URI

Relative Path Overwrite XSS

5

scheme://host/path?query#fragment
otherpath?query#fragment
scheme://host/path
scheme://host/path?query#fragment
scheme://host/otherpath?query#fragment

Relative Path Overwrite

Relative Path Overwrite XSS

6

Relative Path Overwrite

Relative Path Overwrite XSS

7

Relative Path Overwrite

Relative Path Overwrite XSS

8

Huh?

Relative Path Overwrite XSS

9

Client-side URL Browser process
https://vps.bmoine.fr/upload/../ Change URL to https://vps.bmoine.fr/
https://vps.bmoine.fr/upload/..%2F Keep URL as-is
(https://vps.bmoine.fr/upload/..%2F)
Server-side URL HTTP server process
https://vps.bmoine.fr/ Return default index from the location (https://vps.bmoine.fr/)
https://vps.bmoine.fr/upload/..%2F Standardize location (remove dot-segments, but without redirection) then return default index from the location (https://vps.bmoine.fr/)

The browser keeps the dots-segments since they use urlentities, but the HTTP server decodes them...

Go further

Baptiste MOINE <contact@bmoine.fr>

@Creased_

Made with Slides.com