Interesting security article on relative URLs |
Interesting security article on relative URLs |
jimlongo |
Mar 25 2014, 10:18 PM
Post
#1
|
This is My Life Group: Members Posts: 1,128 Joined: 24-August 06 From: t-dot Member No.: 16 |
The following article makes an argument against using relative URLs and how they can be manipulated by an end user.
http://www.thespanner.co.uk/2014/03/21/rpo/ |
Darin McGrew |
Mar 26 2014, 03:28 AM
Post
#2
|
WDG Member Group: Root Admin Posts: 8,365 Joined: 4-August 06 From: Mountain View, CA Member No.: 3 |
So the short version is, if your server returns the same document for www.example.com/foo and www.example.com/foo/ then the relative URLs in the document will work for one or the other, but not both.
|
jimlongo |
Mar 26 2014, 10:49 AM
Post
#3
|
This is My Life Group: Members Posts: 1,128 Joined: 24-August 06 From: t-dot Member No.: 16 |
I haven't tested it nor am I insisting it's true yet, but since this was picked up from a tweet by a top security researcher, his conclusion that relative URLs can be leveraged in XSS attack vectors is certainly worth investigation.
QUOTE I consider relative URLs harmful since you cannot rely on the browser to correctly determine the correct directory and when used with so called “pretty URLs”. Pretty much everyone who has used relative URLs will be open to this type of attack if the path information is outputted or there is some persistent data that an attacker can manipulate. I recommend absolute URLs should be used throughout a site or relative URLs that begin with a forward slash since this is the only type of relative URL that isn’t vulnerable to a RPO attack because it starts at the document root. |
Christian J |
Mar 26 2014, 11:28 AM
Post
#4
|
. Group: WDG Moderators Posts: 9,656 Joined: 10-August 06 Member No.: 7 |
I couldn't understand the text because the prose is so sloppy.
|
Lo-Fi Version | Time is now: 25th April 2024 - 04:51 AM |