Mon, 01 Jan 0001 00:00:00 +0000

DOMPurify Misconfiurations#

Depending on DOMPurify’s configuration, there might be a downgrade in sanitization protection. This could lead to either a small sanitization downgrade or, in the worst case, a full sanitization bypass.

Each DOMPurify.sanitize call can have a different configuration, meaning that one call might be safe while the next might not be.

If you want to look for DOMPurify misconfigurations, the best way is to:

Search for the <!--> or \x3c!--\x3e string in all the compiled JS files. This is used at the beginning of the sanitize function (ref).

Mon, 01 Jan 0001 00:00:00 +0000

Mutation XSS#

Mutation XSS is a kind of attack that takes advantage of HTML’s tolerant nature.

Highly recommended taking a look at https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes after reading this. Most of the payload does not work anymore, because of browser’s fix and dompurify’s fix. However, it is a good read

Mutations#

Mutation in HTML is any kind of change made to the markup for some reason or another:

When a parser fixes a broken markup (<p>test → <p>test</p>)
Normalizing attribute quotes (<a alt=test> → <a alt=”test”>)
Rearranging elements (<table><a> → <a></a><table></table>)

Elements handle their content (the text between opening and closing tags eg. <p>content</p>) differently, with seven distinct parsing modes at play:

SpellBook

DOMPurify Misconfiurations#

Mutation XSS#

Mutations#