Relative Path Confusion

Relative Path Confusion means that your web server is configured to serve responses to ambiguous URLs. This configuration can possibly cause confusion about the correct relative path for the URL. It is also an issue of resources, such as images, styles etc., which are specified in the response using relative path, not the absolute URL.

If the web browser permits to parse “cross-content” response, the attacker may be able to fool the web browser into interpreting HTML into other content types, which can then lead to a cross site scripting attack (link do XSS).

Make sure to configure your web servers not to serve responses to ambiguous URLs in a way that the relative path of URLs can possibly be misinterpreted by components of client or server side.

To mitigate this risk make proper use of ‘’ HTML tag in the HTTP response, which will specify the base URL for all relative ones on the website.

Use the ‘Content-Type’ header in HTTP response to make it harder to fool the web browser to misinterpret its content type.

Use the ‘X-Content-Type-Options: nosniff’ header in HTTP response to prevent ‘sniffing’ its content type by the browser.

Use a modern DOCTYPE (i.e. ‘’) to prevent the web browser from rendering the page with ‘Quirks Mode’ as makes the web browser ignore the content type.

Use the ‘'X-Frame-Options’ header in HTTP response to disable ‘Quirks Mode’ in the browser which uses framing attacks.

You can make your site invulnerable by using only absolute paths.

You can safely use relative paths that start with forward slash, as those are not vulnerable.

ScanRepeat looks for server side issues which could cause confusion to the relative path of the URL. ScanRepeat verifies if the page is vulnerable to relative path override by trying to manipulate filenames and content types of its components. It reports every occurrence of such a behavior providing the URL and the evidence of this vulnerability.