About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Mutation XSS via namespace confusion – DOMPurify- 269

Michal BentkowskiPosted 5 Years Ago
  • DOMPurify is a common HTML sanitizer library that helps block untrusted HTML code into entering the page. Most importantly, it helps prevent XSS.
  • Mutation XSS is the browser/library selectively altering the HTML in order to produce XSS where it did not exist before. In this case, the author used a quirk of the specification: forms cannot be nested inside of each other.
  • There are three types of namespaces (in a DOM tree): HTML, SVG and MathML. These three different namespaces are parsed separate ways, but do have odd integration points.
  • With these different namespaces and integration points, it was possible to do mutation XSS that was not even an XSS before! This is because a form tag gets stripped, resulting in the namespace of a tag to change.
  • Overall, good write up for the XSS with good background. In the future, I think I'll be looking at the specs more :) This guy uses references the HTML specification quite a bit!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed