Professional Documents
Culture Documents
The document.write() call will result in the execution of this hash value as a script
once it is injected in the DOM and interpreted as a script tag. This will display the
current session cookies, but could do many harmful things as we have seen in past
XSS examples.
From this you can see that although this XSS did not require a server, it did require
both a source (window.location.hash) and a sink (document.write). Furthermore,
it would not have caused any issues if a legitimate string had been passed, and as such
could go undetected for a very long time.
Mutation-Based XSS
Several years ago, my friend and colleague Mario Heiderich published a paper called
“mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML
Mutations.” This paper was one of the first introductions to a new and emerging clas‐
sification of XSS attacks that has been dubbed mutation-based XSS (mXSS).
mXSS attacks are possible against all major browsers today. They rely on developing a
deep understanding of methods by which the browser performs optimizations and
conditionals when rendering DOM nodes.
Although new and often misunderstood, mXSS attacks have been used to bypass
most robust XSS filters available. Tools like DOMPurify, OWASP AntiSamy, and
Google Caja have been bypassed with mXSS, and many major web applications (in
particular, email clients) have been found vulnerable. At its core, mXSS functions by