A newly launched open-source tool will help ethical hackers learn how popular browsers parse HTML – and potentially unearth mutation XSS vulnerabilities in the process.
Dom-Explorer demonstrates how popular HTML sanitisers react to any given HTML string. In doing so, the tool could uncover unintended behaviours that might open up promising new areas of research.
Its architect is BitK aka Lucas Philippe, the bug hunter, CTF player and YesWeHack security researcher.
Dom-Explorer leverages ‘obscure HTML rules’
Dom-Explorer is primarily useful for discovering and finding exploits for mutation cross-site scripting (mXXS) vulnerabilities. It could simplify, accelerate and send in fresh directions work in a niche area of security research – but one with wide-ranging implications, suggests BitK.
As the standard markup language for documents displayed in a web browser, HTML is ubiquitous and has a seemingly simple hierarchical tree structure. “But there are a lot of obscure rules that can lead to exploitable bugs,” says BitK. “By using this tool, you can generate this weird behaviour where if your input is not valid, it will change to something that might indicate the potential for vulnerabilities.”
The researcher recommends using Dom-Explorer in conjunction with the HTML Living Standard from the Web Hypertext Application Technology Working Group (WHATWG) and testing whether browsers conform with the standard.
He has already found “a bunch of weird behaviours” that he was surprised to encounter. “A lot of stuff that previously seemed like magic while reading about mutation XSS became clearer after playing with the tool.”
‘Try new ideas faster’
Dom-Explorer fulfils use cases that existing tools were ill-equipped to serve. “I made this tool to help me iterate and try new ideas faster and to instantly see the results,” says Bitk. “It makes it very easy to understand how the parser is behaving.”
The tool it most resembles is Live DOM viewer, which is far more limited in terms of functionality.
Before Dom-Explorer, undertaking this type of research would take a lot longer – “especially if you test deeply nested stuff” – and involve many more steps, says Bitk. Sometimes it was almost “impossible to do with classic tools”.
The tool has proved a hit with a small number of researchers actively searching for zero days in HTML sanitizers who BitK entrusted to road-test the tool. “They loved it. It’s just what they wanted,” he says.
Bug Bounty hunters, meanwhile, can use Dom-Explorer to reproduce potential bugs, find bypasses and validate findings.
Supported sanitisers, parsers
Dom-Explorer incorporates many of the most popular HTML sanitizers, configurable with multiple options for each path. Supported sanitisers include Ammonia, Angular, DomPurify, JsXss and SafeValues, while supported parsers include DomParser, Parse5, srcdocParser and TemplateParser.
You can choose your preferred Parser versions, and new updates are automatically fetched from the source repository.
Users can also sync tabs between different browsers. Synched tabs will update in real-time.
You can also create, edit and save presets for later use. “You can test multiple pipelines at the same time with the same input,” says Bitk. “For instance, you could test Firefox and Chrome side by side. Previously this was painful to do. With Dom-Explorer, I can pair the pipelines, copy-paste some tokens, and both browsers will be synced. I can input on one and the other will instantly do the same thing.
“I can chain all of these sanitizers and to try to find bugs inside them, to see if HTML is parsed differently, if you can create mutations and bypass libraries.”
Collaboration tool
Bug hunters can reproduce potential bugs with the relevant settings and securely share a URL containing the required data with others without revealing the target.
Code can also be copy-pasted into your blog in order to illustrate any research writeups you’re planning to publish. You can toggle an option to make the code editable, or not, when pasted outside of the tool.
Inspired by Cyberchef
Bitk said the user interface was partly inspired by Cyberchef, a web app for encryption, encoding, compression and data analysis.
Everything is drag and drop. After entering your input, the tool provides instant, visually straightforward and colour-coded feedback. You can also make it easier to interpret the output by hiding non-relevant pipes. The tool transcends limitations imposed by browsers in terms of the volume of elements in your input.
The tool is built with data security and privacy in mind. Dom-Explorer is contained within a web page and everything stays in your web browser. No data is sent to GitHub; it is all stored within the URL hash.
Contributions to Dom-Explorer welcome
Bitk invites the open source community to offer contributions if there are particular features they would like to see added. “If you have cool ideas for custom parsers or cool mutations or weird behaviours, you can send me a message via Twitter,” he says. One potential improvement to the tool he could personally make, he suggests, is enabling users to leverage DOM clobbering techniques.