Security Knowledge Framework
  • Introduction
  • Auth Bypass
    • Python - Auth Bypass
    • NodeJS - Auth Bypass
  • Auth Bypass - 1
    • Python - Auth Bypass - 1
    • NodeJS - Auth Bypass - 1
    • Java - Auth Bypass - 1
  • Auth Bypass - 2
    • Python - Auth Bypass - 2
    • NodeJS - Auth Bypass - 2
    • Java - Auth Bypass - 2
  • Auth-bypass - 3
    • Python - Auth-bypass - 3
    • NodeJS - Auth-bypass - 3
    • Java - Auth-bypass - 3
  • Auth-bypass - Simple
    • Python - Auth-bypass - Simple
    • NodeJS - Auth-bypass - Simple
    • Java - Auth-bypass - Simple
  • Client Side Restriction Bypass
    • Python - Client Side Restriction Bypass
    • NodeJS - Client Side Restriction Bypass
    • Java - Client Side Restriction Bypass
  • Client Side Restriction Bypass - Harder
    • Python - Client Side Restriction Bypass - Harder
    • NodeJS - Client Side Restriction Bypass - Harder
    • Java - Client Side Restriction Bypass - Harder
  • Client Side Template Injection (CSTI)
    • Python - Client Side Template Injection (CSTI)
    • NodeJS - Client Side Template Injection (CSTI)
    • Java - Client Side Template Injection (CSTI)
  • Command Injection (CMD)
    • Python - Command Injection (CMD)
    • NodeJS - Command Injection (CMD)
    • Java - Command Injection (CMD)
  • Command Injection 2 (CMD-2)
    • Python - Command Injection 2 (CMD-2)
    • NodeJS - Command Injection 2 (CMD-2)
    • Java - Command Injection 2 (CMD-2)
  • Command Injection 3 (CMD-3)
    • Python - Command Injection 3 (CMD-3)
    • Java - Command Injection 3 (CMD-3)
  • Command Injection 4 (CMD-4)
    • Python - Command Injection 4 (CMD-4)
    • NodeJS - Command Injection 4 (CMD-4)
    • Java - Command Injection 4 (CMD-4)
  • Command Injection Blind (CMD-Blind)
    • Python - Command Injection Blind (CMD-Blind)
    • NodeJS - Command Injection Blind (CMD-Blind)
    • Java - Command Injection Blind (CMD-Blind)
  • Content-Security-Policy (CSP)
    • Python - Content-Security-Policy (CSP)
    • NodeJS - Content-Security-Policy (CSP)
    • Java - Content-Security-Policy (CSP)
  • CORS exploitation
    • Python - CORS exploitation
    • Java - CORS exploitation
  • Credentials Guessing
    • Python - Credentials Guessing
    • NodeJS - Credentials Guessing
    • Java - Credentials Guessing
  • Credentials Guessing - 2
    • Python - Credentials Guessing - 2
    • NodeJS - Credentials Guessing - 2
    • Java - Credentials Guessing - 2
  • Cross Site Scripting (XSS)
    • Python - XSS
    • NodeJS - XSS
    • Java - XSS
  • Cross Site Scripting - Attribute (XSS-Attribute)
    • Python - XSS-Attribute
    • NodeJS - XSS-Attribute
  • Cross Site Scripting - href (XSS-href)
    • Python - XSS-href
    • NodeJS - XSS-href
    • Java - XSS-href
  • Cross Site Scripting - DOM (XSS-DOM)
    • Python - XSS-DOM
    • NodeJS - XSS-DOM
    • Java - XSS-DOM
  • Cross Site Scripting - DOM-2 (XSS-DOM-2)
    • Python - XSS-DOM-2
    • NodeJS - XSS-DOM-2
    • Java - XSS-DOM-2
  • Cross Site Scripting - Stored (XSS-Stored)
    • Java - XSS-Stored
  • CSRF
    • Python - CSRF
    • NodeJS - CSRF
    • Java - CSRF
  • CSRF - Samesite
    • Python - CSRF-SameSite
    • NodeJS - CSRF-SameSite
    • Java - CSRF-SameSite
  • CSRF - Weak
    • Python - CSRF-Weak
    • NodeJS - CSRF-Weak
    • Java - CSRF-Weak
  • CSS Injection (CSSI)
    • Python - CSS Injection (CSSI)
    • NodeJS - CSS Injection (CSSI)
    • Java - CSS Injection (CSSI)
  • Deserialisation Java (DES-Java)
    • Java - Deserialisation Java (DES-Java)
  • Deserialisation Yaml (DES-Yaml)
    • Python - Deserialisation Yaml (DES-Yaml)
  • Deserialisation Pickle (DES-Pickle)
    • Python - Deserialisation Pickle (DES-Pickle)
  • Deserialisation Pickle 2 (DES-Pickle-2)
    • Python - Deserialisation Pickle 2 (DES-Pickle-2)
  • DoS Regex
    • Python - DoS Regex
    • NodeJS - DoS Regex
    • Java - DoS Regex
  • File upload
    • Python - File-Upload
    • NodeJS - File-Upload
    • Java - File-Upload
  • Formula Injection
    • Python - Formula Injection
    • NodeJS - Formula Injection
    • Java - Formula Injection
  • GraphQL DOS
    • Python - GraphQL DOS
  • GraphQL IDOR
    • Python - GraphQL IDOR
    • NodeJS - GraphQL IDOR
    • Java - GraphQL IDOR
  • GraphQL Injections
    • Python - GraphQL Injections
    • NodeJS - GraphQL Injections
    • Java - GraphQL Injections
  • GraphQL Introspection
    • Python - GraphQL Introspection
    • NodeJS - GraphQL Introspection
    • Java - GraphQL Introspection
  • GraphQL Mutations
    • Python - GraphQL Mutations
    • NodeJS - GraphQL Mutations
    • Java - GraphQL Mutations
  • Host Header Injection (Authentication Bypass)
    • Python - HttpOnly Session Hijacking XSS
  • HttpOnly Session Hijacking XSS
    • Python - HttpOnly Session Hijacking XSS
    • NodeJS - HttpOnly Session Hijacking XSS
    • Java - HttpOnly Session Hijacking XSS
  • Information Leakeage in Comments
    • Python - Information Leakeage in Comments
    • NodeJS - Information Leakeage in Comments
    • Java - Information Leakeage in Comments
  • Information Leakeage in Metadata
    • Python - Information Leakeage in Metadata
    • NodeJS - Information Leakeage in Metadata
    • Java - Information Leakeage in Metadata
  • Insecure Direct Object References (IDOR)
    • Python - Insecure Direct Object References (IDOR)
    • NodeJS - Insecure Direct Object References (IDOR)
    • Java - Insecure Direct Object References (IDOR)
  • JWT Null
    • Python - JWT Null
    • NodeJS - JWT Null
    • Java - JWT Null
  • JWT Secret
    • Python - JWT Secret
    • NodeJS - JWT Secret
    • Java - JWT Secret
  • Ldap Injection
    • Python - Ldap Injection
    • NodeJS - Ldap Injection
    • Java - Ldap Injection
  • Ldap Injection - harder
    • Python - Ldap Injection - harder
    • NodeJS - Ldap Injection - harder
    • Java - Ldap Injection - harder
  • Local File Inclusion 1 (LFI-1)
    • Python - Local File Inclusion 1 (LFI-1)
    • NodeJS - Local File Inclusion 1 (LFI-1)
    • Java - Local File Inclusion 1 (LFI-1)
  • Local File Inclusion 2 (LFI-2)
    • Python - Local File Inclusion 2 (LFI-2)
    • NodeJS - Local File Inclusion 2 (LFI-2)
    • Java - Local File Inclusion 2 (LFI-2)
  • Local File Inclusion 3 (LFI-3)
    • Python - Local File Inclusion 3 (LFI-3)
    • NodeJS - Local File Inclusion 3 (LFI-3)
    • Java - Local File Inclusion 3 (LFI-3)
  • Parameter Binding
    • Ruby - Parameter Binding
    • NodeJS - Parameter Binding
    • Java - Parameter Binding
  • Prototype Pollution
    • NodeJS - Prototype Pollution
  • Race Condition
    • Python - Race Condition
    • NodeJS - Race Condition
    • Java - Race Condition
  • Race Condition File-Write
    • Python - Race Condition File-Write
    • NodeJS - Race Condition File-Write
    • Java - Race Condition File-Write
  • Ratelimiting (Brute-force login)
    • Python - Ratelimiting
    • NodeJS - Ratelimiting
    • Java - Ratelimiting
  • Remote File Inclusion (RFI)
    • Python - Remote File Inclusion (RFI)
    • NodeJS - Remote File Inclusion (RFI)
    • Java - Remote File Inclusion (RFI)
  • Right To Left Override (RTLO)
    • Python - Right To Left Override (RTLO)
    • NodeJS - Right To Left Override (RTLO)
    • Java - Right To Left Override (RTLO)
  • Server Side Request Forgery (SSRF)
    • Python - Server Side Request Forgery (SSRF)
    • NodeJS - Server Side Request Forgery (SSRF)
  • Server Side Template Injection (SSTI)
    • Python - Server Side Template Injection (SSTI)
    • Java - Server Side Template Injection (SSTI)
  • Session Hijacking XSS
  • Session Puzzling
    • Python - Session Puzzling
    • NodeJS - Session Puzzling
    • Java - Session Puzzling
  • Session Management 1
    • Python - Session Management 1
  • SQLI (Union)
    • Python - SQLI (Union)
    • NodeJS - SQLI (Union)
    • Java - SQLI (Union)
  • SQLI Login Bypass
    • Python - Login Bypass
  • SQLI (Like)
    • Python - SQLI (Like)
    • NodeJS - SQLI (Like)
    • Java - SQLI (Like)
  • SQLI (Blind)
    • Python - SQLI (Blind)
    • NodeJS - SQLI (Blind)
    • Java - SQLI (Blind)
  • TLS Downgrade
    • Python - TLS Downgrade
  • Untrusted Sources (XSSI)
    • Python - Untrusted Sources (XSSI)
    • NodeJS - Untrusted Sources (XSSI)
    • Java - Untrusted Sources (XSSI)
  • URL Redirection
    • Python - URL Redirection
    • NodeJS - URL Redirection
    • Java - URL Redirection
  • URL Redirection - Harder
    • Python - URL Redirection - Harder
    • NodeJS - URL Redirection - Harder
    • Java - URL Redirection - Harder
  • URL Redirection - Harder-2
    • Python - URL Redirection - Harder-2
    • NodeJS - URL Redirection - Harder-2
    • Java - URL Redirection - Harder-2
  • WebSocket Message Manipulation
    • Python - WebSocket Message Manipulation
  • XML External Entity (XXE)
    • Python - XXE
    • NodeJS - XXE
    • Java - XXE
  • Exposed docker daemon
    • Python - Exposed docker daemon
  • Insecure Random
    • Python - Insecure Random
  • template item
Powered by GitBook
On this page
  • Running the app on Docker
  • Reconnaissance
  • Exploitation
  • Additional sources

Was this helpful?

Edit on GitHub
Export as PDF
  1. Right To Left Override (RTLO)

Java - Right To Left Override (RTLO)

PreviousNodeJS - Right To Left Override (RTLO)NextServer Side Request Forgery (SSRF)

Last updated 2 years ago

Was this helpful?

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:java-rtlo
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:java-rtlo

Now that the app is running let's go hacking!

Reconnaissance

Step1

To start with this exploit we need to know about the existance of the right to left character and what it is normally used for. The right-to-left mark (RLM) is a non-printing character used in the computerized typesetting of bi-directional text containing mixed left-to-right scripts (such as English and Cyrillic) and right-to-left scripts (such as Persian, Arabic, Urdu, Syriac and Hebrew). RLM is used to change the way adjacent characters are grouped with respect to text direction.

To start with our attack we first verify of the app filters unknown uni-characters from user supplied input.

To start of we visit the following page:

https://unicode-explorer.com/c/202E

Here we can easily copy the non printable character to paste and use in our payload.

Throughout the rest of the write up, the non-printable character that we just put on our clipboard is refered to as [RTLO]

Step 2

The next step is to look at the target application and where it is used for. The target application is used to share links that refer to content stored on a different service.

We can test if the server is rejecting un expected uni-characters adding the right to left override unicharacter in our input and submit it to the server. First our payload looks as shown in the screenshot below

[RTLO]test input

After we put in the right to left override uni-character in fron of the "test input" payload we see the following behaviour with the payload:

As you can see the input has been put from right to left. After submitting the input we find that the server does not filtered the override uni-character. From here we can start crafting our exploit payload.

now in this scenario

[RTLO]test input -> tupni tset

Exploitation

We inject the payload in the input field with the [RTLO] uni-character between the brackets. After submitting this input we find a non suspicous link to an mp4 resource.

However as soon as you would hover your mouse over the link you will find how the link itself is actually interpreted by your browser. The behaviour is shown in the screenshot below highlighted in red. Now when a user clicks the link to download a mp4 file he will actually download a potentially malicous executable.

Additional exploitation options

Not only can this attack vector be used to craft malicious links, but it can also be used for social engineering attacks where you can register a user that for the database point of view looks like a unique user but where the output is obfuscated to an existing user such as an admin or other high privileged user.

[RTLO]rotartsinimdA -> Administrator
[RTLO]rotaredoM -> Moderator
etc

Another scenario is to use this attack vector to spoof different URLS.

[RTLO]http://someevilsite.com/moc.elgoog.www//:ptth

will display as:

http://www.google.com/moc.etisliveemos//:ptth

Additional sources

and find:

   -=[ RTLO Spoofing ]=-
      [ Author: storm ]
Email: storm@gonullyourself.org
Website: http://gonullyourself.org/
LogoSkylight Cyber | Ethereum Smart Contracts Exploitation Using Right-To-Left-Override CharacterSkylightCyber
https://www.eaxploit-db.com/exploits/15976www.eaxploit-db.com