Critical Thinking - Bug Bounty Podcast Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu
Feb 20, 2025
Kevin Mizu, a security researcher at Bisecure specializing in web app security, discusses the critical vulnerabilities associated with DOMPurify. He explores dangerous allow-lists, improper sanitization techniques, and the significance of managing configurations. Mizu shares insights into his own bug bounty experiences, including the exploitation of misconfigured regex patterns and the nuances of Unicode normalization. The conversations emphasize creative thinking in cybersecurity and the intricate methods used to bypass HTML sanitization, underscoring the complexities in maintaining web application security.
AI Snips
Chapters
Transcript
Episode notes
Subdomain CDN EXIF XSS Chain
- Kevin described finding an XSS gadget on a subdomain and chaining it to a CDN image EXIF payload to trigger document.write XSS.
- He used historical Cloudflare domains and an upload feature to serve a PNG with HTML in EXIF that became executable HTML.
Cookie Quirks Enabled Account Takeover
- Kevin recounted abusing a login flow with a UID and two cookies to achieve account takeover via session fixation and crafted POST requests.
- He used the site's cookie reset logic and a cross-site POST to set a reserved double-underscore host cookie and wait for the victim to login.
One Regex Holds A Lot Of Risk
- DOMPurify's mutation-XSS defense centers on one regex that filters style, title, and comments in attributes.
- If you can smuggle those sequences past that regex, mutation XSS becomes feasible.