Talk Intermediate 14:00 - 14:30 August 09, 2024

Ian Hickey

Most web security professionals are familiar with Relative Path Overwrite (RPO) attacks that allow injecting malicious CSS via a quirk in how browsers handle paths. But what if you could use a similar technique to get victims to download malicious files by clicking an innocuous looking download link on a trusted site? In this presentation, we'll unveil a new attack vector dubbed Relative Path File Injection (RPFI) that abuses path handling to turn benign websites into malware delivery platforms. Attendees will learn the anatomy of an RPFI attack, see demos of it in action, and learn how to detect this overlooked vulnerability class in the wild. We'll also release an open source GitHub repo with proof of concepts for users to try for themselves. RPFI represents a new breed of polyglot-based attack that exploits gaps between web specifications and real-world implementations.

Ian Hickey

ETR - Senior Developer

Ian Hickey, is a software developer in the Edtech space and devotes some time each week trying to solve problems that have not been solved before. His professional journey has been a unique blend of coding and education. As a software developer, he delved deep into the intricacies of how technology can enhance learning experiences. He mostly dabbles in security as a hobby. I am a lifelong hacker and I'm an active member of HackerOne and similar bug bounty programs.