Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu
Critical Thinking - Bug Bounty Podcast20 Helmi 2025

Episode 111: How to Bypass DOMPurify in Bug Bounty with Kevin Mizu

Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin’s research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering.

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Exploring the DOMPurify library: Bypasses and Fixes (1/2)

https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixes

Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)

https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurations

Dom-Explorer tool

https://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954f

CT Episode 61: A Hacker on Wall Street - JR0ch17

https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/

====== Timestamps ======

(00:00:00) Introduction

(00:01:44) Kevin Mizu - Background and Bring-a-bug

(00:15:09) DOMPurify

(00:29:04) Misconfigurations - Dangerous allow-lists

(00:39:09) Dangerous URI attributes configuration

(00:46:08) Bad usage

(00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute

(01:29:15) Node manipulation, nodeName namespace case confusion, & DOM Clobbering DOS

(01:36:51) Misc concepts for future research

Jaksot(172)

Episode 172: Source Code Review Meta Analysis

Episode 172: Source Code Review Meta Analysis

Episode 172: In this episode of Critical Thinking - Bug Bounty Podcast trying out a new structure of episode: a Meta Analysis of sorts of many Source Code Review techniques. This episode features tips...

30 Huhti 51min

Episode 171: Path-Scoped Cookie Hacks with Uppercase & Post-based Raw Protobuf XSS

Episode 171: Path-Scoped Cookie Hacks with Uppercase & Post-based Raw Protobuf XSS

Episode 171: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives us some quick tips from his own hacking, including some clickjacking, using capital letters, and the potential value...

23 Huhti 22min

Episode 170: Claude Code + Tmux, Websockets, and Other Korea LHE Takeaways

Episode 170: Claude Code + Tmux, Websockets, and Other Korea LHE Takeaways

Episode 170: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph their trip to Korea with some quick takeaways from the LHE. Follow us on twitter at: https://x.com/ctbbpodcastG...

16 Huhti 32min

Episode 169: Attacking OAuth 2.1

Episode 169: Attacking OAuth 2.1

Episode 169: In this episode of Critical Thinking - Bug Bounty Podcast gr3pme goes over some of the changes from OAuth 2.0 vs 2.1 and how Hackers can capitalize.Follow us on twitter at: https://x.com/...

9 Huhti 30min

Episode 168: XSSDoctor - Client-side Path Traversal Research

Episode 168: XSSDoctor - Client-side Path Traversal Research

Episode 168: In this episode of Critical Thinking - Bug Bounty Podcast we’re getting a visit from the XSS Doctor. Jonathan joins us to go through his Client-side workflow, run labs, and diagnose some ...

2 Huhti 1h 35min

Episode 167: Stealing Bugs with Valeriy Shevchenko

Episode 167: Stealing Bugs with Valeriy Shevchenko

Episode 167: In this episode of Critical Thinking - Bug Bounty Podcast we welcome Valeriy Shevchenko to talk about program management, anchor programs, and Theft in Bug Bounty.Follow us on twitter at:...

26 Maalis 51min

Episode 166: Rez0’s Top Claude Skill Secrets

Episode 166: Rez0’s Top Claude Skill Secrets

Episode 166: In this episode of Critical Thinking - Bug Bounty Podcast we talk about Rez0’s Claude Skill Secrets, when AI Generated reports fall apart, and agents vs filters.Follow us on twitter at: h...

19 Maalis 53min

Episode 165: Protobuf Hacking, AI-Powered Bug Hunting, and Self-Improving Claude Workflows

Episode 165: Protobuf Hacking, AI-Powered Bug Hunting, and Self-Improving Claude Workflows

Episode 165: In this episode of Critical Thinking - Bug Bounty Podcast Justin recaps his Zero Trust World experience, before we dive into Permissions issues client-side bugs, New Hardware Hacking Clas...

12 Maalis 44min