In this blog post I share my experience with helping secure DOMPurify and trying to kill an entire class of bypasses
Year: 2020
Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass
In this blogpost I’ll explain my recent bypass in DOMPurify – the popular HTML sanitizer library. In a nutshell, DOMPurify’s job is to take an untrusted HTML snippet, supposedly coming from an end-user, and remove all elements and attributes that can lead to Cross-Site Scripting (XSS). This is the bypass: Believe me that there’s not …
Prototype pollution – and bypassing client-side HTML sanitizers
In this article I’ll cover the prototype pollution vulnerability and show it can be used to bypass client-side HTML sanitizers. I’m also considering various ways to find exploitation of prototype pollution via semi-automatic methods. It could also be a big help in solving my XSS challenge. Prototype pollution basics Prototype pollution is a security vulnerability, …
HTML sanitization bypass in Ruby Sanitize < 5.2.1
On Jun 16, 2020 a security advisory for Ruby Sanitize library was released about an issue that could lead to complete bypass of the library in its RELAXED config. I have found this bug during a penetration test conducted by Securitum, and in this post I’ll explain how I came up with the idea of …
Marginwidth/marginheight – the unexpected cross-origin communication channel
On 6th July 2020 I’ve announced a XSS challenge on my Twitter. So far only four people were able to solve it and every single one of them told me that they had never heard about the quirk used in the challenge before. So here’s a writeup explaining this quirk along with some backstory. The …
Art of bug bounty: a way from JS file analysis to XSS
Summary: During my research on other bug bounty program I’ve found Cross-Site Scripting vulnerability in cmp3p.js file, which allows attacker to execute arbitrary javascript code in context of domain that include mentioned script. Below you can find the way of finding bug bounty vulnerabilities from the beginning to the end, which includes: In depth analysis …
The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers
This writeup is a summary of my research on issues in handling copying and pasting in: browsers, popular WYSIWYG editors, and websites. Its main goal is to raise awareness that the following scenario can make users exposed to attacks: The victim visits a malicious site, The victim copies something from the site to the clipboard, …
How to secure WordPress – step by step guide
The decision about which software we will use for a selected purpose is often made on the basis of an analysis of the time needed for its implementation and the total number of functions that this system will provide us with. However, it is likely that where comfort and time is a priority, safety will …
CSS data exfiltration in Firefox via a single injection point
A few months ago I identified a security issue in Firefox known as CVE-2019-17016. During analysis of the issue, I’ve come up with a new technique of CSS data exfiltration in Firefox via a single injection point which I’m going to share in this blog post.
Protecting against social engineering-based attacks – an introduction
On designing or analyzing the security in IT systems an important question which has to be taken into account, aside from the wide range of digital security solutions, is the fact that one of the key elements of each and every system is its interaction with the user. Unfortunately, in the prevailing number of cases …