Web developers, it is time to add another item to your security checklist: mutation cross-site scripting (mXSS). This lesser-known but potentially dangerous variant of cross-site scripting attacks can slip past many traditional XSS defenses.
What is mXSS?
Mutation XSS occurs when seemingly harmless HTML or XML is transformed into malicious code by the browser’s parsing engine. This mutation happens after the content has passed through server-side filters, making it particularly tricky to detect and prevent.
How does it work?
The attack leverages quirks in how browsers parse and render HTML. For example, specific character sequences or malformed tags might be “fixed” by the browser in a way that activates malicious code. This can happen in various contexts, such as when content is inserted into the DOM via innerHTML or parsed as XML.
Case Study: CVE-2023-48219
TinyMCE, a widely-used open-source rich text editor, contains a cross-site scripting (XSS) vulnerability identified as CVE-2023-48219. This security flaw affects the editor’s core undo/redo feature, as well as various APIs and plugins. The issue stems from improper escaping of text nodes within specific parent elements during HTML serialization.
To further understand the root cause of this vulnerability, it is worth taking a look at the fix provided for CVE-2023-45818, which removes comment nodes containing the U+FEFF character or Zero Width No-Break Space but it does not address other nodes:
The protections built into the vulnerable versions of TinyMCE perform a basic string replacement on user-supplied input, but these measures do not fully address the mXSS vulnerability. To exploit this issue, the following HTML payload can be used to trigger the vulnerability in certain cases (such as when the application stores HTML provided by users) and displays it on the editor:
Is there any way to mitigate mXSS?
Although there is not a silver bullet method for mitigating this type of vulnerability, implementing guardrails such as sanitizing user-supplied input on the client side using libraries like DOMPurify, properly encoding and removing raw content, and most importantly, understanding the underlying implications of allowing foreign HTML into your applications will definitely reduce the chances of mXSS vulnerabilities from appearing in your codebase.
