Generic HTML Sanitizer Bypass Investigation

Channel:
United States LiveOverflow
Subscribers:
880,000
Published on ● Video Link: https://www.youtube.com/watch?v=HUtkW2gjC8Q


Duration: 14:05
139,902 views
6,597

I stumbled over a weird HTML behavior on Twitter and started to investigate it. Did I just stumble over a generic HTML Sanitizer bypass?

Get my handwritten font https://shop.liveoverflow.com (advertisement)
Checkout our courses on https://hextree.io (advertisement)

The Tweet: https://twitter.com/MRCodedBrain/status/1662701541680136195
Google XSS: https://www.youtube.com/watch?v=lG7U3fuNw3A
HTML Spec: https://html.spec.whatwg.org/multipage/parsing.html#parse-error-invalid-first-character-of-tag-name

Chapters:
00:00 - Intro
01:09 - Sanitizing vs. Encoding
02:32 - Developing HTML Sanitizer Bypass
05:03 - Attacking DOMPurify
07:08 - Attacking Server-side Sanitizer
08:31 - HTML Parse Error Specification
10:08 - Potential Impact
11:55 - hextree.io

=[ ❤️ Support ]=

→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

2nd Channel: https://www.youtube.com/LiveUnderflow

=[ 🐕 Social ]=

→ Twitter: https://twitter.com/LiveOverflow/
→ Streaming: https://twitch.tvLiveOverflow/
→ TikTok: https://www.tiktok.com/@liveoverflow_
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/



Other Videos By LiveOverflow


2023-12-21A Vulnerability to Hack The World - CVE-2023-4863
2023-11-20Reinventing Web Security
2023-10-17The Circle of Unfixable Security Issues
2023-10-05Binary Exploitation vs. Web Security
2023-09-19Hacker Tweets Explained
2023-08-29Zenbleed (CVE-2023-20593)
2023-08-18The Discovery of Zenbleed ft. Tavis Ormandy
2023-08-01Asking Android Developers About Security at Droidcon Berlin
2023-07-22Local Root Exploit in HospitalRun Software
2023-07-13Android App Bug Bounty Secrets
2023-07-03Generic HTML Sanitizer Bypass Investigation
2023-06-22Hacking Google Cloud?
2023-06-11Trying to Find a Bug in WordPress
2023-05-31Authentication Bypass Using Root Array
2023-05-22My YouTube Financials - The Future of LiveOverflow
2023-05-11Defending LLM - Prompt Injection
2023-04-27Accidental LLM Backdoor - Prompt Tricks
2023-04-14Attacking LLM - Prompt Injection
2023-04-01Our Future As Hackers Is At Stake!
2023-03-29Cyber Security Challenge Germany (2023)
2023-03-20Cybercrime is Not Hacking!


Tags:
Live Overflow
liveoverflow
hacking tutorial
how to hack
exploit tutorial
html sanitizer
html encoding
xss
cross-site scripting
html sanitizing
html spec
whatwg
html specification
invalid first character
invalid tag
22 tag
number tag
failed research
security research