Clobbering the clobbered — Advanced DOM Clobbering
This is a write-up for an XSS Challenge that popped out on Twitter recently. In this article, I will talk through three different approaches that one could take to solve the challenge, including the shortest among the submitted solutions. The latter resulted in a surprising discovery of how HTML is parsed.
If you are familiar with the challenge details and are only interested in knowing the solutions, I recommend scrolling down to the ‘CSP Path bypass’ section.
It was supposed to be a mini-article but turned out to be an at least medium-size text. Enjoy reading! :)
Task description
The beauty of the XSS Challenges occasionally popping out on Twitter, comes from their simplicity while still preserving high exploitation complexity. Michał’s challenge is no exception to that rule.
We have a website whose main functionality is rendering user-controlled input inside an iframe, then creating a unique URL that could be shared. From the challenge description:
- Please enter some HTML. It gets sanitized and shown in the iframe.
- The task is: execute alert(1) (it must actually execute so you have to bypass CSP as well).
- The solution must work on current version of at least one major browser (Chrome, Firefox, Safari, Edge).
- If you find a solution, please DM me at Twitter: @SecurityMB.
- DOMPurify has been updated to 2.0.1 so you cannot exploit the latest mXSS.
The goal is clear:
execute alert(1) (it must actually execute so you have to bypass CSP as well).
DOMPurify and full bypass
As mentioned in the description, the user’s input is sanitized using the DOMPurify sanitizer which converts dangerous code into a safe one. It means that there is no easy way to…
