Podcast Guru LogoPodcast Guru LogosearchSearchDiscoverMy Podcasts
Apple App Store BadgeGoogle Play Badge
sign-inSign In
menu
close
sign-inSign In
Discover
My Podcasts
Apple App Store Badge
Google Play Badge
<description>&lt;p&gt;Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering.&lt;/p&gt;&lt;p&gt;Follow us on twitter at: &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/ctbbpodcast"&gt;https://x.com/ctbbpodcast&lt;/a&gt;&lt;/p&gt;&lt;p&gt;Got any ideas and suggestions? Feel free to send us any feedback here: &lt;a target="_blank" rel="noopener noreferrer nofollow" href="mailto:info@criticalthinkingpodcast.io"&gt;info@criticalthinkingpodcast.io&lt;/a&gt;&lt;/p&gt;&lt;p&gt;Shoutout to&lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://twitter.com/realytcracker"&gt; YTCracker&lt;/a&gt; for the awesome intro music!&lt;/p&gt;&lt;p&gt;&lt;strong&gt;====== Links ======&lt;/strong&gt;&lt;/p&gt;&lt;p&gt;Follow your hosts Rhynorater and Rez0 on Twitter:&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/Rhynorater"&gt;&lt;strong&gt;https://x.com/Rhynorater&lt;/strong&gt;&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/rez0__"&gt;&lt;strong&gt;https://x.com/rez0__&lt;/strong&gt;&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;strong&gt;====== Ways to Support CTBBPodcast ======&lt;/strong&gt;&lt;/p&gt;&lt;p&gt;Hop on the CTBB Discord at &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://ctbb.show/discord"&gt;https://ctbb.show/discord&lt;/a&gt;!&lt;/p&gt;&lt;p&gt;We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.&lt;/p&gt;&lt;p&gt;You can also find some hacker swag at &lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://ctbb.show/merch"&gt;https://ctbb.show/merch&lt;/a&gt;!&lt;/p&gt;&lt;p&gt;&lt;strong&gt;====== Resources ======&lt;/strong&gt;&lt;/p&gt;&lt;p&gt;Exploring the DOMPurify library: Bypasses and Fixes (1/2)&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes"&gt;https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes&lt;/a&gt;&lt;/p&gt;&lt;p&gt;Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations"&gt;https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations&lt;/a&gt;&lt;/p&gt;&lt;p&gt;Dom-Explorer tool&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f"&gt;https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f&lt;/a&gt;&lt;/p&gt;&lt;p&gt;CT Episode 61: A Hacker on Wall Street - JR0ch17&lt;/p&gt;&lt;p&gt;&lt;a target="_blank" rel="noopener noreferrer nofollow" href="https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/"&gt;https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;strong&gt;====== Timestamps ======&lt;/strong&gt;&lt;/p&gt;&lt;p&gt;(00:00:00) Introduction&lt;/p&gt;&lt;p&gt;(00:01:44) Kevin Mizu - Background and Bring-a-bug&lt;/p&gt;&lt;p&gt;(00:15:09) DOMPurify&lt;/p&gt;&lt;p&gt;(00:29:04) Misconfigurations - Dangerous allow-lists&lt;/p&gt;&lt;p&gt;(00:39:09) Dangerous URI attributes configuration&lt;/p&gt;&lt;p&gt;(00:46:08) Bad usage&lt;/p&gt;&lt;p&gt;(00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute&lt;/p&gt;&lt;p&gt;(01:29:15) Node manipulation, nodeName namespace case confusion, &amp;amp; DOM Clobbering DOS&lt;/p&gt;&lt;p&gt;(01:36:51) Misc concepts for future research&lt;/p&gt;</description>

Critical Thinking - Bug Bounty Podcast

Justin Gardner (Rhynorater) & Joseph Thacker (Rez0)

Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu

FEB 20, 2025109 MIN
Critical Thinking - Bug Bounty Podcast

Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu

FEB 20, 2025109 MIN

Description

<p>Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering.</p><p>Follow us on twitter at: <a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/ctbbpodcast">https://x.com/ctbbpodcast</a></p><p>Got any ideas and suggestions? Feel free to send us any feedback here: <a target="_blank" rel="noopener noreferrer nofollow" href="mailto:info@criticalthinkingpodcast.io">info@criticalthinkingpodcast.io</a></p><p>Shoutout to<a target="_blank" rel="noopener noreferrer nofollow" href="https://twitter.com/realytcracker"> YTCracker</a> for the awesome intro music!</p><p><strong>====== Links ======</strong></p><p>Follow your hosts Rhynorater and Rez0 on Twitter:</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/Rhynorater"><strong>https://x.com/Rhynorater</strong></a></p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://x.com/rez0__"><strong>https://x.com/rez0__</strong></a></p><p><strong>====== Ways to Support CTBBPodcast ======</strong></p><p>Hop on the CTBB Discord at <a target="_blank" rel="noopener noreferrer nofollow" href="https://ctbb.show/discord">https://ctbb.show/discord</a>!</p><p>We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.</p><p>You can also find some hacker swag at <a target="_blank" rel="noopener noreferrer nofollow" href="https://ctbb.show/merch">https://ctbb.show/merch</a>!</p><p><strong>====== Resources ======</strong></p><p>Exploring the DOMPurify library: Bypasses and Fixes (1/2)</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes">https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes</a></p><p>Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations">https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations</a></p><p>Dom-Explorer tool</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f">https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f</a></p><p>CT Episode 61: A Hacker on Wall Street - JR0ch17</p><p><a target="_blank" rel="noopener noreferrer nofollow" href="https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/">https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/</a></p><p><strong>====== Timestamps ======</strong></p><p>(00:00:00) Introduction</p><p>(00:01:44) Kevin Mizu - Background and Bring-a-bug</p><p>(00:15:09) DOMPurify</p><p>(00:29:04) Misconfigurations - Dangerous allow-lists</p><p>(00:39:09) Dangerous URI attributes configuration</p><p>(00:46:08) Bad usage</p><p>(00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute</p><p>(01:29:15) Node manipulation, nodeName namespace case confusion, &amp; DOM Clobbering DOS</p><p>(01:36:51) Misc concepts for future research</p>