CVE CyberSecurity Database News

CVE-2024-45801: DOMPurify Bypass Vulnerability and Prototype Pollution Exploit

Poster -

DOMPurify is a popular, ultra-fast, and highly-tolerant XSS sanitizer for HTML, MathML, and SVG that is used to protect web applications from cross-site scripting (XSS) attacks. This DOM-based sanitizer offers an additional security layer by ensuring that only clean, compliant HTML is presented to users without malicious scripts. Recently, it has been discovered that a malicious HTML could bypass the depth-checking implemented in DOMPurify, rendering it susceptible to XSS attacks. Moreover, it was found that prototype pollution could also be used to weaken the depth check. The issue has been addressed in DOMPurify versions 2.5.4 and 3.1.3, and all users are advised to upgrade because there are no known workarounds for this vulnerability.

Here is a sample code to illustrate how the vulnerability could be exploited

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>DOMPurify XSS Exploit</title>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.5.3/purify.min.js"></script>;
    <script>
        function exploit() {
            const input = document.getElementById('xss-input').value;
            const clean = DOMPurify.sanitize(input);
            document.getElementById('output').innerHTML = clean;
        }
    </script>
</head>
<body>

    <h1>DOMPurify XSS Exploit Example (CVE-2024-45801)</h1>
    <input type="text" id="xss-input">
    <button onclick="exploit()">Sanitize and Insert HTML</button>
    <div id="output"></div>

</body>
</html>

In this example, a malicious input like <details open src= onmouseover=alert(1)> or using prototype pollution can lead to successful XSS attacks even with DOMPurify's sanitization.

Original References

The vulnerability was originally disclosed on GitHub by its discoverer, and the detailed report can be found at:

1. Original DOMPurify issue: https://github.com/cure53/DOMPurify/issues/584
2. Prototype Pollution issue: https://github.com/cure53/DOMPurify/pull/609

Exploit Details

The vulnerability allows an attacker to bypass DOMPurify's depth checking by nesting malicious HTML elements within other elements or leveraging Prototype Pollution. The nesting technique involves placing the malicious script inside elements which are deeper than DOMPurify's maximum allowable depth, effectively escaping the check.

Similarly, by using Prototype Pollution, an attacker can modify the depth check's configuration, weakening it, and allowing the injection of malicious code. In both scenarios, the end result is a successful XSS attack even if DOMPurify has sanitized the input.

Solution

To protect against this vulnerability, users should upgrade DOMPurify to the latest versions: 2.5.4 or 3.1.3. The security patches for both vulnerable scenarios have been implemented in these updated versions. The DOMPurify development team has promptly addressed the issues, and it is highly recommended to update the library to the latest version.

Timeline

Published on: 09/16/2024 19:16:11 UTC
Last modified on: 09/20/2024 12:31:20 UTC