How to Bypass DOMPurify in Bug Bounty with Kevin Mizu (Ep 111)

Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering. Follow us on twitter at: https://x.com/ctbbpodcast Got any ideas and suggestions? Feel free to send us any feedback here: [email protected] Shoutout to   / realytcracker   for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynorater https://x.com/rez0__ ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch! ====== Resources ====== Exploring the DOMPurify library: Bypasses and Fixes (1/2) https://mizu.re/post/exploring-the-do... Exploring the DOMPurify library: Hunting for Misconfigurations (2/2 https://mizu.re/post/exploring-the-do... Dom-Explorer tool https://yeswehack.github.io/Dom-Explo... CT Episode 61: A Hacker on Wall Street - JR0ch17 https://www.criticalthinkingpodcast.i... ====== Timestamps ====== (00:00:00) Introduction (00:01:44) Kevin Mizu - Background and Bring-a-bug (00:15:09) DOMPurify (00:29:04) Misconfigurations - Dangerous allow-lists (00:39:09) Dangerous URI attributes configuration (00:46:08) Bad usage (00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute (01:29:15) Node manipulation, nodeName namespace case confusion, & DOM Clobbering DOS (01:36:51) Misc concepts for future research