What is Mutation XSS (mXSS)?

Jonathan Scheinert, Offensive Security Specialist @KPMG Edge May 2023


 This article will cover the topic of mXSS, a variant of cross-site scripting attack.

The covered topics are as follows: (feel free jumping from one to another).

  • Provide a brief explanation of mXSS
  • Outline the conditions necessary for a potential mXSS attack vector to occur
  • Discuss steps in the payload execution process
  • Mitigation and defense strategies

It is recommended to read the OWASP article on cross-site scripting before proceeding, as it provides a comprehensive overview of the topic.

What is mXSS?

mXSS, also known as mutation cross-site scripting, is a vulnerability that allows attackers to execute malicious code through the manipulation of untrusted data and the browser's HTML parser in connection with the DOM's innerHTML property.

This can occur due to the quirks of HTML parsers and browsers, which may alter a safe payload into an unsafe form and bypass defense mechanisms.

Components In Play:

It is important to understand the DOM, innerHTML, and HTML sanitizers when considering the potential for an mXSS attack.

  • innerHTML – innerHTML is a property that can be used to dynamically generate HTML content.
  • DOM - The DOM, or Document Object Model, is a programming interface for HTML and XML documents.
  • HTML sanitizer – HTML sanitizers, on the other hand, ensure that HTML data does not contain harmful content by blacklisting certain tags and sanitizing the DOM tree.

DOMPurify sanitizes the DOM Tree, basically the procedure is about walking through all elements and HTML attributes, along with deleting all nodes that are not in the allow-list.

DOMPurify.sanitize('<img src=x onerror=alert(1)//>'); → becomes <img src="x">

DOMPurify.sanitize('<svg><g/onload=alert(2)//<p>'); →  becomes <svg><g></g></svg>


Conditions to mXSS attack vector:

The likelihood of an mXSS vulnerability may also be influenced by the behavior of HTML parsers and the presence and positioning of backticks in payloads. The combination of factors such as the use of JavaScript libraries and HTML sanitizers in web applications can increase the likelihood of an mXSS vulnerability occurring. In particular, the use of libraries like jQuery in combination with HTML sanitizers can increase the probability of a potential mXSS vulnerability.

The discovery of the DOMPurify bypass by Gareth Heyes in Chrome inspired me to carefully examine the affected version to understand how the payload operates. I set up a small testing environment where I could insert payloads to see how they would be sanitized by DOMPurify 2.0.16

The following is the payload that the browser executes in order to bypass the DOMPurify sanitizer:

<math><mtext><table><mglyph><style><!--</style><img title="--&gt;&lt;img src=1 onerror=alert(1)&gt;">


Observing the payload, are you perplexed as to how this basic combination of tags and comments managed to produce a reliable mXSS attack vector?

In order to identify the issue, the sanitizer's source code was examined.


User input life cycle should be understood clearly in order to adequately grasp the mitigation measures.

Input validation – Input validation helps mitigate XSS attacks by ensuring that user-supplied data is correctly sanitized and formatted before being processed and displayed in a web page.

Whitelist approach – Enforce a whitelist of acceptable tags and elements that the web application would accept from the user. Blacklists can be easily bypassed.

Content-Security-Policy – In order to remediate the impact of mXSS attacks a sufficient Content-Security-Policy must be enforced, while framing and scripting shouldn’t be allowed.


As an example, the following CSP will tighten the security posture of every web application:


Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'self';


About the writer

Jonathan Scheinert, Offensive Security Specialist @KPMG Edge

Red teamer | Penetration Tester | Security Enthusiast | CTF Player | Guitar Player | Gamer.

Find out how KPMG

can help your company

Subscribe to our blog

I hereby confirm KPMG to send me newsletters and promotional materials, including events invitations. Privacy Policy.

17 Ha'arba'a Street. Tel Aviv



site by:
© 2023 KPMG Somekh Chaikin, an Israeli partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee
Contact Home