Critical Thinking - Bug Bounty Podcast

Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu

Feb 20, 2025

Kevin Mizu, a security researcher at Bisecure specializing in web app security, discusses the critical vulnerabilities associated with DOMPurify. He explores dangerous allow-lists, improper sanitization techniques, and the significance of managing configurations. Mizu shares insights into his own bug bounty experiences, including the exploitation of misconfigured regex patterns and the nuances of Unicode normalization. The conversations emphasize creative thinking in cybersecurity and the intricate methods used to bypass HTML sanitization, underscoring the complexities in maintaining web application security.

01:49:15

Creator website

Episode guests

Kevin Mizu

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Kevin Mizu emphasizes the importance of understanding DOMPurify's misconfigurations, as they can unintentionally lead to severe security vulnerabilities like XSS attacks.

The podcast highlights the critical role of cookie management in preventing session fixation vulnerabilities, pointing out how improper attributes can facilitate account takeover.

Missing charset headers are discussed as a significant oversight that can compromise application security, enabling attackers to exploit sanitization processes.

Deep dives

Introduction to DOM Purify's Importance

DOM Purify is a widely utilized HTML sanitization library that allows for the safe processing of untrusted user input in web applications. Its significance stems from its application across various environments where user-generated content could pose a security risk. The podcast discusses the recent articles highlighting DOM Purify’s capabilities, particularly focusing on its misconfigurations that security professionals, especially bug bounty hunters, encounter. An example is given which describes how the author became engrossed in exploring the depth of DOM Purify, reinforcing its relevance to the security landscape.

Intro

2min

Unraveling Web Vulnerabilities

11min

Exploring DOM Purify: Risks and Configurations

9min

Exploiting DOMPurify Vulnerabilities

13min

Unpacking DOM Manipulation and Event Delegation

3min

Regex Vulnerabilities in Web Security

6min

Understanding DOMPurify Challenges in Web Security

11min

Bypassing DOMPurify: Vulnerabilities and Exploits

17min

Vulnerabilities in DOMPurify Sanitization

11min

10.

Creativity and Risks in Bug Bounty Hunting

3min

11.

Exploring Unicode Normalization for Bypassing Security Measures

3min

12.

Sanitization Vulnerabilities and DOMPurify Exploits

16min

13.

Exploring JavaScript Execution Vulnerabilities in DOMPurify and Happy DOM

2min

14.

Exploring Vulnerabilities in DOMPurify and JavaScript Evaluations

2min

Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering.

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Exploring the DOMPurify library: Bypasses and Fixes (1/2)

https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes

Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)

https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations

Dom-Explorer tool

https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f

CT Episode 61: A Hacker on Wall Street - JR0ch17

https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/

====== Timestamps ======

(00:00:00) Introduction

(00:01:44) Kevin Mizu - Background and Bring-a-bug

(00:15:09) DOMPurify

(00:29:04) Misconfigurations - Dangerous allow-lists

(00:39:09) Dangerous URI attributes configuration

(00:46:08) Bad usage

(00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute

(01:29:15) Node manipulation, nodeName namespace case confusion, & DOM Clobbering DOS

(01:36:51) Misc concepts for future research

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Critical Thinking - Bug Bounty Podcast

Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Introduction to DOM Purify's Importance

Discovering a Unique Bug

Insights into DOM Purify Misconfigurations

Cookie Management Exploits and Session Fixation

The Role of Charset in Security

Kind of Puzzles in Browser Parsing

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

Critical Thinking - Bug Bounty Podcast

Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Introduction to DOM Purify's Importance

Discovering a Unique Bug

Insights into DOM Purify Misconfigurations

Cookie Management Exploits and Session Fixation

The Role of Charset in Security

Kind of Puzzles in Browser Parsing

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights