O'Reilly logo

Mastering Modern Web Penetration Testing by Prakhar Prasad

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Relative Path Overwrite

Relative Path Overwrite (RPO) is a new attack vector discovered by Gareth Heyes, a renowned web application researcher. RPO exploits the way browsers interpret relative paths while importing CSS files into a document, hence this attack is also referred to as Path Relative Stylesheet Import (PRSSI). If you're not aware of relative and absolute path URL CSS import, then let's have a quick look at:

Relative path import:

<link href="resource/rpo.css" rel="stylesheet" type="text/css"/>

Absolute path import:

<link href="https://sandbox.prakharprasd.com /resource/rpo.css" rel="stylesheet" type="text/css"/>

Here, the rpo.css file contains the following:

h1 {
    font-family: monospace;
    color: white;
    font-size: 50px;

}
body {
 background-color: ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required