Critical Thinking - Bug Bounty Podcast Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu
Feb 20, 2025
Kevin Mizu, a security researcher at Bisecure specializing in web app security, discusses the critical vulnerabilities associated with DOMPurify. He explores dangerous allow-lists, improper sanitization techniques, and the significance of managing configurations. Mizu shares insights into his own bug bounty experiences, including the exploitation of misconfigured regex patterns and the nuances of Unicode normalization. The conversations emphasize creative thinking in cybersecurity and the intricate methods used to bypass HTML sanitization, underscoring the complexities in maintaining web application security.
AI Snips
Chapters
Transcript
Episode notes
One Regex Holds A Lot Of Risk
- DOMPurify's mutation-XSS defense centers on one regex that filters style, title, and comments in attributes.
- If you can smuggle those sequences past that regex, mutation XSS becomes feasible.
Sanitize For The Final Context
- Consider the final DOM context where sanitized HTML is inserted; sanitizing alone isn't enough.
- Avoid inserting sanitized fragments into inert tags (like textarea) or contexts that later re-interpret content.
Audit Hidden Global Hooks
- Search JavaScript sources for DOMPurify hooks since they apply globally and may be hidden from per-call options.
- Audit hook handlers for attribute/node manipulation that run every sanitize call.