About I have not really mastered this concept yet. mXSS is my introduction to reading the HTML specs. I will consider myself to somewhat understand the concept once I find a mXSS bug. This page is mainly to park some important research in mXSS that I find very interesting. Researches S1r1us mXSS Explained series: Part 1 and Part 2. His Github MXSS repository also contains a lot of insights. mXSS cheatsheet (to save some sanity reading HTML specs) SecurityMB DOMPurify 2.

About Parking some slick CSP bypasses and techniques to work around CSP. No analysis here for now Some links may not even be related to bypassing CSP, but it may touch some part of XSS exploitation that might be good to know. Researches lcamtuf Post-XSS Bypass browser’s mitigation against dangling markup injection form-action trick and other methods: Leaking sensitive data through <form> and misconfigured CSP policy. Mentions defenses of browsers against dangling markup injection and how to effectively bypass them.

Why this research? I stumbled upon this tweet by ixSly about a vulnerability in a code snippet found in Outline You can try to figure out the vulnerability here by yourself: /// userUrl is user input /// CSP: "script-src gist.github.com" const userUrl = new URL(userUrl); if (userUrl.host === "gist.github.com" && userUrl.protocol === "https:") { const gistId = userUrl.pathname.split("/")[2]; const embedScriptUrl = `https://gist.github.com/${gistId}.js`; ctx.body = ` <html> <body> <script type="text/javascript" src="${embedScriptUrl}"></script> </body> </html> `; } Github Gist JSONP endpoint I thought this is some bypass to “escape” the src quote of script.

About I just wandered the Internet and encountered cookie tossing by a tweet from S1r1us Here is just a collection of writeups related to this technique, along with other researches related to cookie security. Researches Cookie tossing video by Reconless: Very quick introduction on how this attack works. Research covered by this video: Cookie Tossing to RCE on Google Cloud Jupyter lab. The cookie monster in our browsers: Very detailed research by filedescriptor on cookie security and attacks.

About This is from a video by Reconless: https://www.youtube.com/watch?v=0-sA_kAVw74. The links below will be for my reference if I decided to revisit this concept later. I hope this attack vector is not dead now, but cool to know this existed regardless. Researches RPO whitepaper RPO Gadgets