Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu
Episode description
Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater and Rez0 on Twitter:
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
====== Resources ======
Exploring the DOMPurify library: Bypasses and Fixes (1/2)
https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes
Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)
https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations
Dom-Explorer tool
https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f
CT Episode 61: A Hacker on Wall Street - JR0ch17
https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/
====== Timestamps ======
(00:00:00) Introduction
(00:01:44) Kevin Mizu - Background and Bring-a-bug
(00:15:09) DOMPurify
(00:29:04) Misconfigurations - Dangerous allow-lists
(00:39:09) Dangerous URI attributes configuration
(00:46:08) Bad usage
(00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute
(01:29:15) Node manipulation, nodeName namespace case confusion, & DOM Clobbering DOS
(01:36:51) Misc concepts for future research