Full Report
Mutation XSS (mXSS) is a type of XSS that occurs from browser quirks in HTML parsing. In particular, how the browser will rewrite HTML that is considered invalid or what happens when they change context. The HTML specification is long so this is a nice cheatsheet for testing for these types of issues. Within many of the SonarSource teams XSS issues lately, they abuse the different types of contexts: HTML, math and SVG - to cause lots of problems. Nothing in particular stands out to me but this is worth saving as a resource.
Analysis Summary
# Morning News Roll-up October 24, 2024
## Overview
Today's report focuses on the technical intricacies of Mutation Cross-Site Scripting (mXSS), a sophisticated class of web vulnerability arising from browser-specific HTML parsing behaviors. Central to this intelligence is a comprehensive technical breakdown of how different namespaces (HTML, SVG, MathML) and legacy parsing rules can be abused to bypass modern security sanitizers.
## Top Stories
### Mutation XSS (mXSS) Comprehensive Resource
- Summary: A deep-dive technical "cheatsheet" outlining how browser quirks rewrite invalid or contextual HTML. The research highlights how the transition between different DOM namespaces—specifically HTML, MathML, and SVG—creates "mutation" points where seemingly safe strings become malicious after browser interpretation.
- Source: hxxps://sonarsource[.]github[.]io/mxss-cheatsheet/
### Impact of Namespace Switching on HTML Sanitization
- Summary: Analysis shows that "Foreign Content" like `<math>` and `<svg>` follow different parsing specifications than standard HTML. This discrepancy allows attackers to nest tags in ways that PHP-based or static parsers may ignore, but browsers will execute, leading to sanitizer bypasses.
- Source: hxxps://html[.]spec[.]whatwg[.]org/#parsing-main-inforeign
### Character Encoding and Parsing Differentials
- Summary: Technical investigation into how NULL bytes and XML processing instructions (PI) behave across different parsing engines. For example, a NULL byte converts to `\uFFFD` in certain contexts, and XML-specific tags like `<?...?>` can be used to hide payloads from sanitizers that do not strictly follow HTML5 DOCTYPE rules.
- Source: hxxps://sonarsource[.]github[.]io/mxss-cheatsheet/examples/
***
# Main Topic
Mutation Cross-Site Scripting (mXSS) via Browser Parsing Quirks
## Key Points
- **Namespace Ambiguity:** The primary engine for mXSS is the movement between HTML, SVG, and MathML namespaces. Elements behave differently depending on the "integration point," causing the browser to rewrite the DOM tree unexpectedly.
- **Round-trip Vulnerabilities:** Payloads can be crafted to survive a first parsing round only to mutate into an active exploit during the second reparsing (e.g., via `innerHTML` or `DOMParser`).
- **Parsing Differentials:** Significant gaps exist between how server-side parsers (like PHP or older XML parsers) and modern client-side browsers (Chrome, Firefox, Safari) interpret the same HTML string.
- **Active Formatting Elements:** Elements like `<a>`, `<b>`, and `<code>` can be duplicated or moved during parsing roundtrips if the DOM tree is restructured, a behavior that can be used to wrap and "protect" malicious tags from sanitizers.
## Threat Actors
- **Researchers & Bug Bounty Hunters:** Actively identifying these quirks to bypass Enterprise-grade Web Application Firewalls (WAFs) and sanitization libraries.
- **Advanced Persistent Threats (APTs):** Known to use subtle browser-based exploits to bypass strict Content Security Policies (CSP) and automated filters.
## TTPs
- **Namespace Confusion:** Abusing `<math>` or `<svg>` tags to change how subsequent tags (like `<a>` or `<style>`) are parsed.
- **The "Table-In-Table" Trick:** Using disallowed table elements (`<tbody>`, `<tr>`) outside of a `<table>` to force the browser to relocate the element, often moving it into an unsanitized area.
- **Exploiting `noscript`:** Using the fact that `DOMParser` disables scripting, causing `<noscript>` content to be parsed as children rather than raw text, differing from the actual browser execution context.
- **Self-Closing Tag Abuse:** Using `/>` in HTML namespaces (where it is generally ignored except for void elements) to confuse parsers that follow XML rules.
## Affected Systems
- **Web Browsers:** All browsers following the HTML5 specification (Chrome, Firefox, Safari, Edge).
- **Sanitizer Libraries:** DOMPurify and other HTML sanitizers that rely on browser-native parsing.
- **Web Applications:** Applications that accept user-supplied HTML or use client-side templates.
## Mitigations
- **Context-Aware Sanitization:** Use sanitizers that account for namespace transitions and are updated to reflect the latest HTML specifications.
- **Parsing Uniformity:** Ensure that the parsing logic used by the security filter matches the parsing logic of the browser rendering the content.
- **Content Security Policy (CSP):** Implement strict CSPs that disallow inline scripts and restrict the use of `eval()` to limit the impact of a successful mXSS bypass.
- **Tooling:** Utilize security scanning tools like SonarCloud to identify potential XSS sinks in source code.
## Conclusion
Mutation XSS remains a high-effort but high-reward attack vector. Because it relies on the fundamental "quirks" of the 1500-page HTML specification, it is difficult to defend against purely with regex-based filters. Organizations should prioritize using established, well-maintained sanitization libraries and conduct regular security testing specifically focusing on foreign content (SVG/Math) integration.