关于突变XSS的定义，可以追溯于Mario Heiderich等人于2013年发表的一篇论文“ mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations.”在下一部分中，我将简要介绍什么是突变XSS以及怎样绕过DOMPurify。

而有一種常拿來針對 sanitizer 的攻擊方式，叫做 mutation based XSS，也被稱做 mutation XSS 或是簡稱 mXSS。 在理解 mXSS 以前，我們要來看 sanitizer 通常是怎麼運作的。 根據我們之前使用的經驗，sanitizer 的輸入是一個字串，裡面含有 HTML，而輸出也是一個含有 HTML 的字串，使用方式如下： 那 sanitizer 內部又是怎麼運作的呢？ 其實內部的運作方式跟我們前面用 BeautifulSoup 實作出的 sanitizer 差不多： 這流程看似也沒有什麼問題，但魔鬼藏在細節裡，萬一「看起來 …

2017年5月22日 · mXSS is a new type of XSS attack by Mario Heiderich. I actually saw him present this very talk at Syscan 2013 this year. The vulnerability in question comes from innerHTML which allows direct manipulation of HTML content, bypassing the DOM .

Mutation XSS (mXSS) is a sophisticated type of cross-site scripting attack that leverages the way browsers parse and modify HTML content. Unlike traditional XSS attacks, where malicious scripts are directly injected into a web application, mutation XSS involves injecting seemingly benign code that the browser later transforms into executable ...

2024年12月16日 · 总结一下，我们需要两个条件来实现 Mutation XSS。 首先是需要一种方法来输出未经净化的任意文本，通常是在某些不会立即导致 XSS 的受限上下文中。 输出应该在某处包含 <img src onerror=alert()> ，可能是：

This cheatsheet is your one-stop shop for diving deep into the fascinating world of mXSS (mutations caused by browser quirks in HTML parsing). Forget sifting through the official 1500~ page spec – here’s a curated list of examples that showcase these unexpected behaviors.

2020年10月7日 · DOMPurify's patch for Michal's finding worked by looking for potential mutation inside text nodes but crucially didn't take into account comments. I injected a comment and a HTML img tag with a title attribute, then I encoded the closing HTML comment and a further image that contained a XSS vector:

2022年2月5日 · As per OWASP, “Mutated XSS happens when the attacker injects something that is seemingly safe but rewritten and modified by the browser while parsing the markup. This makes it extremely hard to...

2019年4月10日 · Mutation XSS vulnerabilities are caused by differences in how browsers interpret the HTML standard. Due to browser differences, it is very difficult to sanitize user input on the server. The server needs to account for all differences between …

This post will explain the general idea of Mutation XSS, what tricks exist, and how to find bypasses. It also contains two examples of a CVE I found in the lxml_html_clean library and a hard challenge combining and showcasing two new tricks.