New IE mutation vector

New IE mutation vector I was messing around with a filter that didn’t correctly filter attribute names and allowed a blank one which enabled me to bypass it. I thought maybe IE had similar issues when rewriting innerHTML. Yes it does of course The filter bypass worked like this: <img ="><script>alert(1)</script>"> The filter incorrectly assumed it was still inside […]
How I smashed MentalJS I’m proud to introduce a guest blogger on The Spanner. Jann Horn is a IT Security student in fourth semester and works for Cure53. He has found security issues in a bunch of open source projects, including OpenSSH(CVE-2014-2532), Chromium(CVE-2014-1726,CVE-2015-1247), Android(CVE-2014-7911) and Angular. He’s also a member of the university CTF team FluxFingers. Jann has been […]
MentalJS DOM bypass Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used insertBefore with a null second argument which allows you to insert a node into the dom and bypass my sandboxing restrictions. The vector is below:- _=document x =_.createElement(‘script’); s =_.createElement(‘style’) s.innerHTML = ‘*/alert(location)//’ t=_.createElement(‘b’) t.textContent = ‘/*’ x.insertBefore(t.firstChild, null); x.insertBefore(s, null) _.body.appendChild(x) x […]
Another XSS auditor bypass This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could […]
XSS Auditor bypass XSS Auditor is getting pretty good at least in the tests I was doing however after a bit of testing I found a cool bypass. Without studying the code it seems that it checks for valid JavaScript within the vector, I thought I could use this to my advantage. I came up with the idea […]

Back to Top