Coordinated disclosure helps protect more than 100,000 dependencies

Mozilla Bleach XSS library was itself vulnerable to XSS attacks

Bleach, a Python library that enables web developers to clean HTML input and prevent cross-site scripting (XSS) attacks, was itself found to have an XSS vulnerability, according to an advisory posted on GitHub by Mozilla, the library’s developer.

Mozilla Bleach escapes and removes characters that can otherwise lead to the execution of arbitrary code when rendered on a browser. As of this writing, more than 100,000 GitHub repositories depend on Bleach.

The vulnerability, discovered by researchers at Checkmarx, was found in the library’s clean() function, which sanitizes HTML code.

“We have no evidence of the vulnerability being exploited in the wild,” a spokesperson for Mozilla told The Daily Swig.

Mutation XSS

Developers can control the kind of tags that will be allowed in the HTML code ahead of the cleaning process.

A flaw in the way the function handled some configurations of allowed tags made it vulnerable to “mutation XSS”, a special kind of XSS flaw caused by how different browsers interpret HTML code.

“Exploiting this vulnerability requires a non-default config, which is why we rated the severity as moderate,” the Mozilla spokesperson said.


RECOMMENDED Playing Fetch: New XS-Leak exploits browser redirects to break user privacy


“Producing this vulnerability requires satisfying a set of pre-conditions... If those conditions are met, the vulnerability can be reproduced.”

Mozilla has patched the vulnerability in the latest version of Bleach. In the advisory, the organization recommends setting up a strong Content Security Policy to mitigate further risks.

A growing threat

It is worth noting that this is the third mutation XSS bug found in Bleach in the past year.

“Mutation XSS bugs have grown in popularity due to the recent release of detailed research blog posts and useful tools on the subject,” the Mozilla spokesperson said.

“We consider a growing focus on specific vulnerabilities to be normal, once such related research is publicized.”


Read more of the latest hacking news


In written comments to The Daily Swig, Erez Yalon, head of security research at Checkmarx, warned that mutation XSS is relevant for every web application, not just those that are Python-based.

“[Mutation XSS] is slightly more complex to find and exploit than other XSS attacks because it combines a weakness in the code with a browsers’ tendency to try and fix errors by content manipulations,” Yalon said.

He added: “Having the code visible (as it is in open source) makes it a bit easier to execute, as the combination of the attacker’s payload through the code and the browser manipulation causes the harmful effect.”

Mutation XSS is becoming more common among researchers and attackers, Yalon noted. “So, we believe it is our responsibility as security researchers to educate developers and try to find these issues in the wild before they are exploited,” he said.


YOU MIGHT ALSO LIKE DARPA bug bounty helps strengthen research agency’s security defenses