Question:
My scan results include Relative Path Confusion (ZAP plugin 10051) -- how should I investigate this finding?
Answer:
Alert Behavior
Relative Path Confusion is a ZAP plugin (10051) that HawkScan uses to test for relative path confusion as caused by "cross-content" responses (CWE-20).
Specifically, the tests for the ability to trick the browser into misinterpreting content types (such as interpreting HTML as CSS), as indicated by the presence or absence of particular headers and body elements in the response.
Note:
This alert makes use of randomly-generated relative URL's, meaning your overall Paths list may contain URL's not discovered by the spider and/or API specs with which the scanner was seeded -- see Why do I see extra URL’s in the Paths tab under Scan Details? for more information.
Resolving The Issue
Resolution Steps:
Review Evidence and Other Info in the Scan Results to identify the specific issues
Resolve the issue at the application level / Action the issue in the Platform
Re-run a scan against the updated application -- does it still occur?
Explanation:
Below are the overall fix recommendations (from the zap page):
Header settings:
Use the '
Content-Type' HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.Use the '
X-Content-Type-Options: nosniff' HTTP response header to prevent the web browser from 'sniffing' the content type of the response.Specify the 'X-Frame-Options' HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks.
DOCTYPE settings:
Use a modern DOCTYPE such as '
<!doctype html>'to prevent the page from being rendered in the web browser using 'Quirks Mode', since this results in the content type being ignored by the web browser.
The alert tests for all of the above conditions, but how do you know which one(s) your application encountered?
By checking the following on the Scan Results page:
the Evidence pane
for instance, specific image links or .css files may be highlighted here
the Other Info tab
this section calls out specific findings in more detail
Example text from Other Info:
No <base> tag was specified in the HTML <head> tag to define the location for relative URLs. A Content Type of "text/html; charset=utf-8" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed.
In the above scenario, the application was sending the correct Content-Type and X-Content-Type-Options headers, but the html body of the response revealed that no <base> tag was in use, opening up the use of Quirks Mode and the potential for an associated XSS vulnerability.
Additional Information
In some applications, setting the type attribute (fka, MIME type) of various html elements may resolve this alert.