In this article, we will discuss some emerging attack vectors with their potentially high impact on the security of web application. We will cover Introduction to attack vector, Insecure Direct Object Reference, Relative Path Overwrite, Directory Brute Forcing. Let’s discuss it one by one.

Attack Vectors :

• Attack vector is basically a method used by the hacker or security analyst to penetrate into the target application for some malicious use or to check the security features of application.
• Every ethical hacker has their own and unique attack vector to check the security of target application, this application may be a web application or android application but in this article we are mainly focusing on web application.
• In this article you can learn some emerging attack vector with their impact. You can use any attack vector on the application, if and only if you have legal permission to check their security features. Don’t apply any attack vector on the application without prior permission from the application owner. It is totally illegal to penetrate into an application without legal permission.

Insecure Direct Object Reference :

• Insecure Direct Object Reference is commonly known as IDOR, and it is basically a permission based vulnerability which allows an attacker to modify or access resources belonging to other users of the application. 
• The Fundamental concept behind the IDOR vulnerability is that an endpoint of the application tries to give access for modifying and accessing the user data. Data may contain images, addresses, files and in some cases contain the username and password of a user.
• Nowadays, IDOR is common and an emerging attack vector for web applications because, IDOR vulnerability gives access permission and any problem related to permissions cannot be fixed automatically or by default because, in web applications permission varies from user to user. 
• For example, on any application, normal user and prime user have different access permission. Normal user and admin has different permissions for modification of data.
• Basically, this class of vulnerability is everywhere. In fact it is so common that the majority of the web applications are affected by this.

Relative Path Overwrite :

• Security researcher Gareth Heyes discovered the new attack vector, namely Relative Path Overwrite(RPO). RPO exploits the way browsers interpret relative paths during importing CSS files into DOM (document object model). Hence this attack is also known as Path Relative Style sheet Import (PRSSI).

Relative Path -
<link href="database/xyz.css" rel="stylesheet" type="text/css"/>

Absolute Path -
<link href="https://example.com /database/xyz.css" rel="stylesheet" type="text/css"/>

• Example –
  For example, if the document is loaded at https://example.com /database , then the CSS will be loaded from the path https://example.com /database/xyz.css in the case of relative path. If website has URL : https://example.com/index.html and they link the <link href=”resource/rpo.css” rel=”stylesheet” type=” text/CSS”/> given path in HTML file. 

  In this scenario if we visit https://example.com/index.html , then website can import its CSS file through given path, but if attacker changes URL to https://example.com /index.htm/random/payload , it will also work due to the flexible nature of server-side programming languages and web frameworks, but this time CSS does not load from the path given in html file. And by adding the payloads at vulnerable end point, attacker can control the CSS of web application.

Directory Brute Forcing :

• This is very popular and simple attack vector. Most of the ethical hacker’s use this vector to find hidden and sensitive directory on the web application. There are various automated tools available for testing this attack vector. 
• Most of the time, developers forget to make sensitive files and directories hidden: like files containing database username, password, source code of website, etc. Due to this, information might leak at a particular endpoint and by brute forcing the directories, the attack may find the hidden data and sensitive information of web application. 
• As a developer, it is good practice to make all the sensitive directories hidden from the user.