Archives for the Date June 17th, 2015

New IE mutation vector

I was messing around with a filter that didn’t correctly filter attribute names and allowed a blank one which enabled me to bypass it. I thought maybe IE had similar issues when rewriting innerHTML. Yes it does of course The filter bypass worked like this: <img ="><script>alert(1)</script>"> The filter incorrectly assumed it was still inside […]