This document summarizes research on a new type of web attack called relative path overwrite, which allows attackers to inject CSS (style) directives into websites without requiring markup or script injection. The researchers measured how many popular websites are vulnerable by testing URL manipulation techniques on over 2.6 billion web pages. They found that over 5% of domains allowed style injection, but fewer than 1% could be successfully exploited in Chrome or Internet Explorer due to requirements like the page loading in quirks mode. The researchers outline countermeasures for websites to prevent this attack, such as using absolute paths or base tags for stylesheets instead of relative paths.

1. NEU SECLAB
Large-Scale Analysis of Style Injection
by Relative Path Overwrite
Sajjad Arshad, Seyed Ali Mirheidari, Tobias Lauinger,
Bruno Crispo, Engin Kirda, William Robertson
WWW - 26 April 2018

2. 2
NEU SECLAB
Relative Path Overwrite
• Initially described in blog posts by Gareth Heyes and others
• Largely unknown type of web attack
– Does not require markup injection or particular sink type
– Inject style (CSS) instead of script (JS)
– “Self-reference”: Attacked document uses “itself” as stylesheet
(other attack variants exist, not studied in this work)
• Measure vulnerability surface of websites
– How many websites can be exploited?
– Which factors allow/prevent the attack?

3. 3
NEU SECLAB
Style Injection
Browser Server
http://example.com/*{background-image:url(...)}/
<html>
<head>
<link rel="stylesheet" href="style.css">
</head>
<body>
Not found:
http://example.com/*{background-image:url(...)}/
</body>
</html>

4. 4
NEU SECLAB
Path Confusion
Browser Server
http://example.com/*{background-image:url(...)}/
Error page
http://example.com/*{background-image:url(...)}/style.css
<html>
...
Not found:
http://example.com/*{background-image:url(...)}/style.css
...
</html>
...<link rel="stylesheet" href="style.css">...

5. 5
NEU SECLAB
Self-Reference
HTML
external
stylesheet
crafted
URL
reflected
style directives
(text node)

6. 6
NEU SECLAB
Outline
• Relative Path Overwrite Attack
– Refection sink that allows injection of style directives
– Path confusion causes stylesheet self-reference
• Measurement methodology
• Exploitability in practice
• Countermeasures

7. 7
NEU SECLAB
Style-Based Attacks
• Script injection not always possible (e.g., input sanitisation)
• Successful (exfltration) attacks possible without script:
– History stealing
– Exfltrate credit card number (Heiderich et al., CCS 201㙣20)
• Attacks typically consist of payload & injection technique
– This research is not concerned about the payload
– Focus on how to inject (“transport”) the payload

8. 8
NEU SECLAB
Self-Reference
• Style injection requires either:
– Markup injection (create a new <style> context), or
– Correct sink type (injection inside existing <style> context)
• Both can be hard to fnd
• New technique:
– Cause HTML document to reference “itself” as the stylesheet
– Sink in document becomes style sink

9. 9
NEU SECLAB
Measurement Methodology
㙣. Common Crawl: extract pages with relative stylesheet path
– August 201㙣6: >㙣.6B documents
– Filter: Alexa Top 㙣M, must contain relative stylesheet reference
20. Python script to test path confusion, if style can be injected
– Try several URL mutation techniques (see paper)
– Only GET, no clicking/form submission, benign payload
3. Browser to check if injected style directives interpreted
– Open page in Chrome (+Internet Explorer with framing, see paper)
– Style interpreted if injected image URL seen in network traffc

10. 10
NEU SECLAB
Preconditions for Successful Attack
• Relative stylesheet path: 㙣3% of docs in Common Crawl
• Mutated URL causes style refection in server response
(and no base tag)
– 㙣.20% of documents in Candidate Set
– 5.4% of domains have at least one such document
• Browser loads and interprets injected style directives
– Chrome: 㙣㙣k documents (<1.㙣%) on 㙣k domains (1.5%)
– IE: 55k documents (1.20%) on 4k domains (㙣.6%) see paper→

11. 11
NEU SECLAB
Injected Style Not Interpreted
• Only 20.9% of sites with injection successfully attacked
• Attack works only if document rendered in “quirks mode”
– HTML “stylesheet” has wrong MIME type & lots of syntax errors
– 320% of unique document types in Chrome result in quirks mode
– <㙣1% of documents (320% of domains) use quirks mode
• IE: can override document type with framing technique
– Fails if anti-framing techniques used by site
– Fails if content type sniffng disabled
– see paper for details

12. 12
NEU SECLAB
Countermeasures (㙣)
Relative stylesheet path and path confusion self-reference→
• Browsers do not know about server-side content routing
logic and assume directory-like URL structure
– Use only absolute paths, or
– Use <base> tag to tell browser how to resolve relative paths
• If absolute paths or base tag value dynamically computed
on server side, must take into account actual routing logic

13. 13
NEU SECLAB
Countermeasures (20)
Text injection “vulnerability” and browser tolerating lots of CSS
syntax errors style injection→
• Always escape any characters not in [a-z0-9] (is this realistic?)
• Prevent browsers from interpreting CSS fles with many syntax
errors and content type other than text/css
– Specify a modern document type: <!doctype html>
– In Internet Explorer, document type can be overwritten by framing, so
set these headers:
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

14. 14
NEU SECLAB
Conclusion
• Over 5% of studied domains allow style injection and self-
reference
• Much fewer domains can be exploited, but still a
consequential number in absolute terms
• Different techniques (e.g., style-based attacks) require
different countermeasures than script-based XSS
• In contrast to script-based XSS, easy-to-use and effective
countermeasures exist to mitigate the attack