Exploring the DOMPurify library: Bypasses and Fixes (1/2). Tags:Article - Article - Web - mXSS
title: Exploring the DOMPurify library: Bypasses and Fixes (1/2) date: Nov 17, 2024 tags: Article Web mXSS 📜 Introduction 🔠How does client-side HTML sanitizer works? â“ Why are mutation XSS (mXSS) possible? â–¶ï¸ DOMPurify 3.1.0 bypass (found by @IceFont 👑) Node flattening HTML Parsing states Proof Of Concept â© DOMPurify 3.1.1 bypass DOMPurify 3.1.0 fix DOM Clobbering issue Proof Of Concept âï¸ DOM
DOMã®å¤ã„仕組ã¿ã‚’悪用ã—ãŸè„†å¼±æ€§ | フãƒãƒ³ãƒˆã‚¨ãƒ³ãƒ‰Blog | ミツエーリンクス
pagefindã¯é™çš„サイトã§ã‚‚手軽ã«ã‚µã‚¤ãƒˆå†…検索を実ç¾ã§ãる全文検索ライブラリーã§ã™ã€‚先日ã€pagefindã®è„†å¼±æ€§ãŒä¿®æ£ã•ã‚Œã¾ã—ãŸãŒã€DOMã®å¤ã„仕組ã¿ã‚’悪用ã—ãŸã‚‚ã®ã§ã—ãŸã€‚ãã®å†…容を興味深ãæ„Ÿã˜ãŸãŸã‚ã€ã“ã®è¨˜äº‹ã§ç´¹ä»‹ã—ã¾ã™ã€‚ãªãŠã€ç´¹ä»‹ã™ã‚‹æ”»æ’ƒæ‰‹æ³•ã¯DOM Clobberingã¨å‘¼ã°ã‚Œã¦ã„ã¾ã™ï¼ˆDOM上書ãã¨ã„ã†æ„味ã§ã™ï¼‰ã€‚ ã“ã®è¨˜äº‹ã§ç´¹ä»‹ã™ã‚‹è„†å¼±æ€§ã¯pagefind 1.1.1ã§ä¿®æ£ã•ã‚Œã¦ã„ã¾ã™ã€‚pagefind 1.1.1未満をã”利用ã®ã‹ãŸã¯1.1.1ã«æ›´æ–°ã™ã‚‹ã“ã¨ã‚’ãŠã™ã™ã‚ã—ã¾ã™ã€‚ CVE-2024-45389: DOM clobbering could escalate to XSS æ¦‚è¦ ä¿®æ£å‰ã®pagefindを利用ã—ã¦ã„るサイトã§ã¯ã€ã‚µã‚¤ãƒˆã«HTMLを書ãè¾¼ã‚ã‚‹å ´åˆã€å¤–部ã®JavaScriptã‚’èªã¿è¾¼ã¾ã‚Œã¦ã—ã¾ã†è„†å¼±æ€§ãŒã‚ã‚Šã¾ã—ãŸã€‚書ãè¾¼ã¾ã‚ŒãŸHTMLã«JavaScrip
SQL/コマンドインジェクションã€XSSç‰ã‚’横串ã§ç†è§£ã™ã‚‹ - 「インジェクションã€è„†å¼±æ€§ã¸ã®å‘ãåˆã„æ–¹ - GMO Flatt Security Blog
ã“ã‚“ã«ã¡ã¯ã€@hamayanhamayan ã§ã™ã€‚ 本稿ã§ã¯Webã‚»ã‚ュリティã«å¯¾ã™ã‚‹æœ‰ç”¨ãªæ–‡æ›¸ã¨ã—ã¦åºƒãå‚ç…§ã•ã‚Œã¦ã„ã‚‹OWASP Top 10ã®1ã¤ã€Œã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã€ã«ã¤ã„ã¦è€ƒãˆã¦ã„ãã¾ã™ã€‚色々ãªã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã‚’例ã«æŒ™ã’ãªãŒã‚‰ã€ã©ã®ã‚ˆã†ã«ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ãŒèµ·ã“ã‚‹ã®ã‹ã¨ã„ã†ç™ºç”ŸåŽŸç†ã‹ã‚‰ã€ã©ã®ã‚ˆã†ã«ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã‚’æ‰ãˆã€ã‚ˆã‚Šåºƒãインジェクションã®è€ƒãˆæ–¹ã‚’自身ã®ãƒ—ãƒãƒ€ã‚¯ãƒˆé–‹ç™ºã«é©ç”¨ã—ã¦ã„ãã‹ã«ã¤ã„ã¦æ‰±ã£ã¦ã„ãã¾ã™ã€‚ SQLインジェクションやコマンドインジェクションã€XSSã®ã‚ˆã†ãªã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã«é–¢ã‚る有åãªæ‰‹æ³•ã«ã¤ã„ã¦æ¨ªæ–çš„ã«è§£èª¬ã‚’ã—ãªãŒã‚‰ã€ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã®æ¦‚念を説明ã—ã¦ã„ãã¾ã™ã€‚åˆã‚ã¦ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã«è§¦ã‚Œã‚‹æ–¹ã«ã¨ã£ã¦ã¯ã€ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã®å®Ÿä¾‹ã‚„基本的ãªè€ƒãˆæ–¹ã«è§¦ã‚Œã‚‹ã“ã¨ãŒã§ãã€ãã®å…¨ä½“åƒã‚’把æ¡ã™ã‚‹åŠ©ã‘ã«ãªã‚‹ã‹ã¨æ€ã„ã¾ã™ã€‚ ã¾ãŸã€æ—¢ã«ã„ãã¤ã‹ã®ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³æ‰‹æ³•ã‚’知ã£ã¦ã„ã‚‹æ–¹ã«ã¨
[HackerNotes Ep. 68]: 0-days & HTMX-SS with Mathias
Critical Thinking - Bug Bounty PodcastPosts[HackerNotes Ep. 68]: 0-days & HTMX-SS with Mathias [HackerNotes Ep. 68]: 0-days & HTMX-SS with Mathias Mathias is back with some fresh HTMX research, including CSP bypass using HTMX triggers, converting client-side response header injection to XSS, and bypassing HTMX disable. Some cool behaviour in Cloudflares image optimization functionality is also dro
![[HackerNotes Ep. 68]: 0-days & HTMX-SS with Mathias](https://cdn-ak-scissors.b.st-hatena.com/image/square/b8c65f4910e79834cfcddd21a60954a9a0dbb036/height=288;version=1;width=512/https%3A%2F%2Fbeehiiv-images-production.s3.amazonaws.com%2Fuploads%2Fpublication%2Flogo%2Ff3cc9f6e-341e-452a-9b50-a244bcc4cf92%2FCritical_Thinking_Podcast_Cover_Square.jpg)
XSS using dirty Content Type in cloud era
2024/3/31(土)開催ã®ã‚³ãƒŸãƒ¥ãƒ‹ãƒ†ã‚£ã‚¤ãƒ™ãƒ³ãƒˆã€ŒBsides Tokyo 2024ã€ã§ã®Azaraã€eiã«ã‚ˆã‚‹ã‚»ãƒƒã‚·ãƒ§ãƒ³è³‡æ–™ã§ã™ã€‚ https://bsides.tokyo/2024/#xss-using-dirty-content-type-in-cloud-era
注目ã—ãŸã„クライアントサイドã®è„†å¼±æ€§2é¸/ Security.Tokyo #3
Security.Tokyo #3ã®ç™ºè¡¨è³‡æ–™ã§ã™ã€‚ クライアントサイドã®ãƒ‘ストラãƒãƒ¼ã‚µãƒ«ã¨ã€postMessage経由ã®è„†å¼±æ€§ã‚’å–り上ã’ã¾ã—ãŸã€‚
CVE-2023-5480: Chrome new XSS Vector
Chrome XSSThe article is informative and intended for security specialists conducting testing within the scope of a contract. The author is not responsible for any damage caused by the application of the provided information. The distribution of malicious programs, disruption of system operation, and violation of the confidentiality of correspondence are pursued by law. PrefaceThis article is dedi
ãƒã‚°ãƒã‚¦ãƒ³ãƒ†ã‚£ã«ãŠã‘ã‚‹ XSS ã®å…·ä½“çš„ãªè„…å¨ã®äº‹ä¾‹ã¾ã¨ã‚ - blog of morioka12
1. 始ã‚ã« ã“ã‚“ã«ã¡ã¯ã€morioka12 ã§ã™ã€‚ 本稿ã§ã¯ã€ãƒã‚°ãƒã‚¦ãƒ³ãƒ†ã‚£ã§å®Ÿéš›ã«ã‚ã£ãŸè„†å¼±æ€§å ±å‘Šã®äº‹ä¾‹ã‚’ã‚‚ã¨ã«ã€XSS ã®å…·ä½“çš„ãªè„…å¨(Impact)ã«ã¤ã„ã¦ã„ãã¤ã‹ç´¹ä»‹ã—ã¾ã™ã€‚ 1. 始ã‚ã« å…è²¬äº‹é … 想定èªè€… 2. XSS (Cross Site Scripting) HackerOne Top 10 Vulnerability Types Escalation (Goal) 3. XSS ã®è„…å¨ (Impact) 3.1 Response Body ã‹ã‚‰ Session ID ã®å¥ªå– 3.2 Local Storage ã‹ã‚‰ Access Token ã®å¥ªå– 3.3 IndexedDB ã‹ã‚‰ Session Data ã®å¥ªå– 3.4 メールアドレスã®æ”¹ã–ã‚“ 3.5 パスワードã®æ”¹ã–ã‚“ 3.6 管ç†è€…アカウントã®æ‹›å¾… 3.7 POST Based Reflected XSS 4.
DOM-based race condition: racing in the browser for fun
DisclaimerAll projects mentioned in this blog post have been contacted, and I confirmed that the behavior described in this article is either working as intended, already fixed, or will not be fixed. TL;DRThe browser loads elements in the HTML from top to bottom, and some JavaScript libraries retrieve data or attributes from the DOM after the page has been completely loaded. Because of how the con
ランã‚ング
ランã‚ング
メンテナンス
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
https://scnps.co/papers/sp23_domclob.pdf
security: fix DOM clobbering in auto public path by alexander-akait · Pull Request #18700 · webpack/webpack
CVE-2024-45047 - GitHub Advisory Database
Blog: Enabling Trusted Types in a Complex Web Application: A Case Study of AppSheet
content-type-research/XSS.md at master · BlackFan/content-type-research
GitHub - google/tsec
BHack Conference
mozilla/standards-positions%253C%2Fscript%253E%250A--MYBOUNDARY--)
https://terjanq.me/xss.php?h%5BContent-Security-Policy%5D=default-src%20'none'&h%5BContent-Type%5D=multipart/x-mixed-replace;%20boundary=MYBOUNDARY&html=--MYBOUNDARY%0AContent-Type:%20text/html%0AContent-Security-Policy:%20script-src%20'unsafe-inline'%0A%0Alol%3Cscript%3Ealert(1)%3C/script%3E%0A--MYBOUNDARY--
Chrome Platform Status
html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) · Issue #62196 · golang/go
{{#tags}}- {{label}}
{{/tags}}