Pwning WebAssembly Bypassing XSS Filters in the WASM Sandbox #1414
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…SM Sandbo... - Remove searchindex.js (auto-generated file)
🔗 Additional ContextOriginal Blog Post: https://zoozoo-sec.github.io/blogs/PwningWasm-BreakingXssFilters/ Content Categories: Based on the analysis, this content was categorized under "Web Pentesting -> XSS -> Bypass Techniques (WASM linear-memory corruption pivot)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Goal: Show, step‑by‑step, how a memory‑corruption bug inside a WebAssembly (WASM) module becomes a reliable DOM XSS by corrupting data in linear memory and overwriting an in‑memory HTML template. Target is a CTF app (Pentathon CTF 2025 “chaat”); no CVE.
How WASM runs (brief but actionable):
• Tiered compilation (V8): Liftoff compiles fast baseline machine code; Turbofan later optimizes hot paths for near‑native speed.
• Memory ...
🔧 Technical Details
Intra‑WASM heap overflow → pointer corruption: Find an edit path that memcpy’s into a fixed buffer without resizing. Overflow into adjacent structs (e.g., an array of
msg) to overwrite pointers, yielding arbitrary read/write of in‑sandbox data that later reaches sensitive sinks.Groom with realloc() to force adjacency: Fill a dynamic array to trigger
realloc(); after growth, it often lands right after attacker‑controlled data. Use this placement to deterministically corrupt structure fields (likemsg_datapointers).Sink pivot via template overwrite (bypass sanitizer): Instead of injecting tags in input, overwrite a writable HTML template string in linear memory from “
<p>%.*s</p>” to “<img src=1 onerror=%.*s>”. Sanitized content then becomes a JS handler value; any JS text (e.g.,alert(1337)) executes.🤖 Agent Actions
I explored the repository and confirmed there wasn’t any WASM-specific XSS bypass technique documented. The closest areas were:
Given the blog’s focus (WASM linear-memory corruption to DOM XSS by overwriting an in-memory HTML template), the best place is within the XSS documentation as a dedicated bypass technique page. I implemented:
%.*s
" to "No other files were modified. The changes integrate the blog’s techniques into the most relevant HackTricks section (Web Pentesting → XSS), focusing on the key exploitation chain and defensive guidance while maintaining HackTricks style and structure.
If anything else is desired (e.g., cross-linking from DOM XSS), I can add it, but the main XSS page now properly references the new technique page.
Actions performed:
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
🗑️ File Cleanup