What is Mutation XSS (mXSS)?

 This article will cover the topic of mXSS, a variant of cross-site scripting attack.

The covered topics are as follows: (feel free jumping from one to another).

• Provide a brief explanation of mXSS
• Outline the conditions necessary for a potential mXSS attack vector to occur
• Discuss steps in the payload execution process
• Mitigation and defense strategies

It is recommended to read the OWASP article on cross-site scripting before proceeding, as it provides a comprehensive overview of the topic.

mXSS, also known as mutation cross-site scripting, is a vulnerability that allows attackers to execute malicious code through the manipulation of untrusted data and the browser's HTML parser in connection with the DOM's innerHTML property.

This can occur due to the quirks of HTML parsers and browsers, which may alter a safe payload into an unsafe form and bypass defense mechanisms.

It is important to understand the DOM, innerHTML, and HTML sanitizers when considering the potential for an mXSS attack.

• innerHTML – innerHTML is a property that can be used to dynamically generate HTML content.
• DOM - The DOM, or Document Object Model, is a programming interface for HTML and XML documents.
• HTML sanitizer – HTML sanitizers, on the other hand, ensure that HTML data does not contain harmful content by blacklisting certain tags and sanitizing the DOM tree.

DOMPurify sanitizes the DOM Tree, basically the procedure is about walking through all elements and HTML attributes, along with deleting all nodes that are not in the allow-list.

The likelihood of an mXSS vulnerability may also be influenced by the behavior of HTML parsers and the presence and positioning of backticks in payloads. The combination of factors such as the use of JavaScript libraries and HTML sanitizers in web applications can increase the likelihood of an mXSS vulnerability occurring. In particular, the use of libraries like jQuery in combination with HTML sanitizers can increase the probability of a potential mXSS vulnerability.

The discovery of the DOMPurify bypass by Gareth Heyes in Chrome inspired me to carefully examine the affected version to understand how the payload operates. I set up a small testing environment where I could insert payloads to see how they would be sanitized by DOMPurify 2.0.16

The following is the payload that the browser executes in order to bypass the DOMPurify sanitizer:

Observing the payload, are you perplexed as to how this basic combination of tags and comments managed to produce a reliable mXSS attack vector?

In order to identify the issue, the sanitizer's source code was examined.

User input life cycle should be understood clearly in order to adequately grasp the mitigation measures.

Input validation – Input validation helps mitigate XSS attacks by ensuring that user-supplied data is correctly sanitized and formatted before being processed and displayed in a web page.

Whitelist approach – Enforce a whitelist of acceptable tags and elements that the web application would accept from the user. Blacklists can be easily bypassed.

Content-Security-Policy – In order to remediate the impact of mXSS attacks a sufficient Content-Security-Policy must be enforced, while framing and scripting shouldn’t be allowed.

As an example, the following CSP will tighten the security posture of every web application:

• mXSS Attacks: Attacking well-secured Web-Applications
• DOMPurify < 2.0.17 bypass
• Introduction to the DOM

Jonathan Scheinert, Offensive Security Specialist @KPMG Edge

Red teamer | Penetration Tester | Security Enthusiast | CTF Player | Guitar Player | Gamer.