PyScript – or rather Python in your browser + what can be done with it? A few days ago, the Anaconda project announced the PyScript framework, which allows Python code to be executed directly in the browser. Additionally, it also covers its integration with HTML and JS code. An execution of the Python code in …
Michał Bentkowski
Helping secure DOMPurify (part 1)
In this blog post I share my experience with helping secure DOMPurify and trying to kill an entire class of bypasses
Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass
In this blogpost I’ll explain my recent bypass in DOMPurify – the popular HTML sanitizer library. In a nutshell, DOMPurify’s job is to take an untrusted HTML snippet, supposedly coming from an end-user, and remove all elements and attributes that can lead to Cross-Site Scripting (XSS). This is the bypass: Believe me that there’s not …
Prototype pollution – and bypassing client-side HTML sanitizers
In this article I’ll cover the prototype pollution vulnerability and show it can be used to bypass client-side HTML sanitizers. I’m also considering various ways to find exploitation of prototype pollution via semi-automatic methods. It could also be a big help in solving my XSS challenge. Prototype pollution basics Prototype pollution is a security vulnerability, …
HTML sanitization bypass in Ruby Sanitize < 5.2.1
On Jun 16, 2020 a security advisory for Ruby Sanitize library was released about an issue that could lead to complete bypass of the library in its RELAXED config. I have found this bug during a penetration test conducted by Securitum, and in this post I’ll explain how I came up with the idea of …
Marginwidth/marginheight – the unexpected cross-origin communication channel
On 6th July 2020 I’ve announced a XSS challenge on my Twitter. So far only four people were able to solve it and every single one of them told me that they had never heard about the quirk used in the challenge before. So here’s a writeup explaining this quirk along with some backstory. The …
The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers
This writeup is a summary of my research on issues in handling copying and pasting in: browsers, popular WYSIWYG editors, and websites. Its main goal is to raise awareness that the following scenario can make users exposed to attacks: The victim visits a malicious site, The victim copies something from the site to the clipboard, …
CSS data exfiltration in Firefox via a single injection point
A few months ago I identified a security issue in Firefox known as CVE-2019-17016. During analysis of the issue, I’ve come up with a new technique of CSS data exfiltration in Firefox via a single injection point which I’m going to share in this blog post.
XSS in GMail’s AMP4Email via DOM Clobbering
This post is a write up of an XSS in AMP4Email (obviously already fixed) I reported via Google Vulnerability Reward Program in August 2019. The XSS is an example of a real-world exploitation of well-known browser issue called DOM Clobbering.
Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609)
Prototype pollution is a vulnerability that is specific to programming languages with prototype-based inheritance (the most common one being JavaScript). While the bug is well-known for some time now, it lacks practical examples of exploitation. In this post, I’m showing how to exploit it to achieve Remote Code Execution in Kibana.
Write-up of DOMPurify 2.0.0 bypass using mutation XSS
Yesterday, a new version of DOMPurify (very popular XSS sanitization library) was released, that fixed a bypass reported by us. In this post I’ll show how exactly the bypass looked like preceded by general information about DOMPurify and how it works. If you are aware of how purifiers work and what mXSS is – you …
Server Side Template Injection – on the example of Pebble
Server-Side Template Injection isn’t exactly a new vulnerability in the world of web applications. It was made famous in 2015 by James Kettle in his famous blogpost on PortSwigger blog. In this post, I’ll share our journey with another, less popular Java templating engine called Pebble.
Security analysis of <portal> element
Portal is a fairly new HTML element that is currently supported only in Chrome Canary behind the #enable-portals flag. Their main objective is to enable seamless transitions to the web by pre-rendering content in an iframe-like element that can be then “promoted” (activated) to a top-level frame. In this article we focus of security analysis thereof.
Another XSS in Google Colaboratory
Three months ago I described XSS which I found in Google Colaboratory. Before you start reading this article, I recommend you go back to the previous one first, because I am going to develop the topic which started there. In a nutshell, however, what previously happened: I was looking for XSS in Google Colaboratory (an …
Security bug in Google Hangouts Chat desktop application – how to make Open Redirect great again
A few months ago Google released a new product – Hangouts Chat application, which was surely the answer of the American giant to the ubiquitous Slack. In short, it is a communication platform for teams, where you can simply chat, as well as exchange files, presentations, etc. You can use the Chat both in your …
XSS in Google Colaboratory + bypassing Content-Security-Policy
In the following text, I show an interesting XSS, which I found in February 2018 in one of Google’s applications. I show not only directly where this XSS was, but also what attempts I made to find this XSS and what dead ends I entered. In addition, an example of bypassing Content-Security-Policy with the use …
Description of CVE-2018-0296 vulnerability – bypassing authorization in Cisco ASA web interface.
In this text we describe CVE-2018-0296 error concerning Cisco ASA devices, publicized 6th of June by Cisco. Officially, vulnerability was classified as Denial Of Service, although our report concerned a different type of error. More details below. A word of introduction:Cisco ASA device (Adaptive Security Appliance) is very popular and is often a part of …
BetterZip – from XSS to any code execution
XSS (Cross-Site Scripting) is one of the most popular vulnerabilities in the world of web applications. On the OWASP TOP 10 list it has been ranked first in terms of popularity for many years. Until now, XSS has usually been identified only in the world of browsers. However, due to the fact that HTML and …
Stealing Data in Great style – How to Use CSS to Attack Web Application.
This article will show you an example of how you can use the ability to inject your own CSS rules into a web application to exfiltrate data. This attack can be particularly practical for stealing tokens that protect against CSRF attacks. In this text we will see that CSS injections can be used to steal …
Testing applications for Android: analysis and changing the way applications work by using the Frida framework
What is Frida? Frida, as the website of this project says, is a world-class dynamic instrumentation framework. To simplify: a framework that will allow us to inject our own code into a working process (it can be a process on Android, but it also supports iOS, Windows, Linux or macOS), and then to control this …
Address bar spoofing in Chrome and Firefox – description of CVE-2017-5089 and CVE-2017-7763
In this article, I will show you how you could have previously performed “spoofing” of the address bar in Chrome and Firefox browsers. In other words, make the domain displayed in the browser’s address bar not the one where the user actually is. As a consequence, the attack can be used for phishing, for example, …
DoS attack on applications – through regular expressions
The American programmer, Jamie Zawinski, once said, “Some people, when they encounter a problem, think to themselves, ‘I know! I will use regular expressions.’ And now they have two problems.” In this article, we’ll see how true the words are if the regular expression has been spelled incorrectly, allowing the Denial-of-Service to be launched on …
Stealing tokens, hacking jQuery and bypassing Same-Origin Policy – how I won XSSMas Challenge 2016
In this article: You will learn an interesting way to read tokens from another domain. You will learn how to make XSS using jQuery. You will see how to break Same-Origin Policy using Flash. XSSMas Challenge is a challenge (in the style of CTF) organized for several years by Cure53. As you can guess from …
Calculation of pseudo-random numbers generator state – on the example of Math. random() from Firefox
In this text: We will get to know how pseudo-random number generators operate We will learn how the XorShift128Plus algorithm, which is the basis of pseudo-random number generators in all the most popular browsers (Firefox, Chrome, Edge), works. We will get to know the Z3Prover tool, thanks to which we will be able to calculate …
What is the SSRF vulnerability (Server Side Request Forgery)?
A large part of web applications allows you to upload your own file to the server by providing the URL address, where it will be automatically downloaded to the server. In this article, we will discuss what problems may arise from such a solution. The article will be based on a simple functionality in the …
Bypassing the Same-origin policy in Firefox – detailed description (CVE-2015-7188)
In the third quarter of last year, I reported a security bug to Mozilla that allowed me to bypass Same Origin Policy (SOP) in Firefox. Due to this bug, it was possible to launch attacks by stealing data belonging to other domains. The source of the problem was a seemingly insignificant detail when parsing IP …
Google Caja and XSSs – how to get bounty three times for (almost) the same thing
In this article, I describe three XSSs that I reported to Google as part of their bug bounty program. All of them had their source in escaping of the sandbox in the Google Caja tool. Introduction At the beginning of this year, as my bug bounty target, I took the Google Docs applications. One of …
Security of web applications: vulnerabilities in upload mechanisms
File upload is one of the most common functionalities in web applications. Typically, it involves uploading images or documents to the server. It is also a place that pentesters look for due to the numerous security errors in implementations. In this article, we will present the most common vulnerabilities and show how they can be …