trace37 labs

CVE-2026-41238: How Prototype Pollution Turns DOMPurify Into an XSS Gadget

CVE: CVE-2026-41238 Finder: trace37 labs Affected: DOMPurify 3.0.1 through 3.3.3 Impact: XSS bypass via prototype pollution chain CVSS: 7.1 (High) Advisory: GitHub Security Advisory Patch: Version 3.4.0 # Discovery In a previous post, I described a large-scale evolutionary fuzzing system designed to find zero-day CVEs in DOMPurify’s core sanitization logic. It incorporated fitness functions that measured partial success, mutation operators modeled after cryptanalytic rotors, and a multi-track architecture splitting effort between mXSS, hook bypasses, and integration bugs.

The Script Tag That Isn't: Speculation Rules Injection

<script type="speculationrules"> is a JSON data block. It contains no executable JavaScript. Markdown renderers pass it through. DOMPurify strips it, but most server-side markdown pipelines never call DOMPurify. It tells Chrome to prerender any URL you choose in a hidden tab — with the victim’s full session cookies. Inject it via HTML injection in a forum comment, support ticket, or profile bio. Two variants: list rules include a matching anchor link and fire when the victim hovers over it.

When Diagrams Attack: Stored XSS to Account Takeover via Mermaid in API Documentation

A developer writes API documentation. They add a diagram — a flowchart showing request routing. The platform renders it using Mermaid.js, the standard library for turning text into diagrams. The diagram appears. Everything looks normal. What doesn’t appear: the <img> tag hidden inside a node label, its onerror handler silently loading an external script that just created a persistent API token under the viewer’s identity and exfiltrated it to an attacker-controlled server.

187 Commits Later: How Mastermind AI Evolved in 8 Weeks

Eight weeks ago I published Anatomy of an Autonomous Bug Bounty Hunting Platform, a deep walkthrough of Mastermind AI’s architecture. Since then: 187 commits, 93 skills (up from 57), and several entirely new subsystems that changed how the platform hunts. The results speak for themselves — every major addition here came from a real hunt where the platform hit a wall and needed a new capability to break through. This post covers the major engineering work since February 4th, organized by the problems each change solved.

Factoring a Production RSA-512 Key: From Discovery to Decryption

CWE-326 — Inadequate Encryption Strength A 512-bit RSA key was protecting financial PII in production. I factored it. The key had been live since 2019. It encrypted names, tax IDs, bank account numbers, and phone numbers for every user who submitted invoice data. It took one VPS and 45 hours to break. 512key bits 45hto factor 6PII fields 16CPU cores RSA-512 was first factored publicly in August 1999 by a team at CWI Amsterdam.

Your WAF Doesn't Speak JSON: How \/ Bypasses Cloudflare, AWS, and Akamai

Every major WAF — Cloudflare, AWS WAF, Akamai, Imperva — inspects the raw HTTP request body for attack signatures. Every JSON parser normalises escape sequences before handing data to the application. These two facts create a gap that’s been sitting in the JSON spec since 2006. The gap is one character: \/. RFC 8259 (the JSON specification) defines \/ as a valid escape sequence for /. The forward slash doesn’t need escaping — "a/b" and "a\/b" are semantically identical.

One Proxy. One AI. One System: Integrating Caido into mastermind-ai (Part 1)

Caido × Mastermind AI One Proxy. One AI. One System. How I seamlessly integrate Caido into the mastermind-ai system to create a single offensive security platform — custom plugin, 59 MCP operations, real-time event architecture, self-adapting workflows, and a persistent investigation pipeline. Plus where this integration is heading next. Follow-up post to come in the future! I'm grateful to Émile Fugulin, co-founder of Caido, for reviewing my infrastructure and process flows described in this post.

How My AI Hunting System Found Two Critical Vulns in a Private Bug Bounty — While I Was Out

Mastermind AI × Autonomous Hunt I Wasn't There. It Solved Anyway. A private bug bounty program invited me one morning. I set my mastermind-ai bug hunting system to explore the scope then went out. When I got back, it had already discovered two independent critical authentication bypass vectors in the target's production platform — autonomously navigating 57 dead ends to get there. I triaged the findings, co-wrote the report, and submitted.

Unsigned Messages: PostMessage DOM XSS to Full PII Exfiltration

Every security tutorial on postMessage shows the same code: window.addEventListener("message", function(event) { if (event.origin !== "https://expected.com") return; // ... }); Check the origin. It’s the first thing you learn. It’s in every OWASP guide, every MDN example, every code review checklist. So when I found a message handler on a major SaaS collaboration platform — one used by tens of millions of teams worldwide — that performs zero origin validation, I assumed I was misreading the code.

Regex Sanitizers Are Dead: A Visual Autopsy

Every few weeks, I find the same thing. Somewhere in the JavaScript bundle, a developer needed to render user-controlled HTML. They knew raw innerHTML was dangerous, so they wrote a sanitizer. Four or five regex replacements — strip <script>, strip event handlers, strip javascript: URIs. They tested it against <script>alert(1)</script> and <img onerror=alert(1)>. Both blocked. Ship it. The sanitizer works against the payloads the developer imagined. It fails against everything else.

Hijacking the Channel: Zero-Click Account Takeover via MessagePort Injection

Every web developer learns the postMessage origin check. It’s security 101: if you receive a cross-origin message, verify event.origin before trusting the data. Thousands of blog posts explain this. Linters warn about it. Even junior developers know the pattern. But postMessage has a lesser-known sibling: the MessageChannel API. It creates a private, bidirectional communication pipe between two contexts. Once a MessagePort is transferred, the channel is supposed to be secure — messages flow directly between the two endpoints, invisible to everyone else.

The Three Ingredients for Silent Data Theft

Most CORS misconfiguration reports get duped or closed as informative. The hunter finds a reflected Access-Control-Allow-Origin, writes it up, and gets back: “We are aware of this configuration and it is intended” or “This does not demonstrate impact.” The difference between a wasted report and a confirmed High is understanding what the browser actually does — and proving all three ingredients are present. # The Recipe A reflected origin alone does nothing.

Inside Enigma: How 5 Rotors Crack WAF-Protected XSS

When PKCE Doesn't Protect You: Bypassing OAuth Code Exchange

# TL;DR I found an account takeover vulnerability on a large e-commerce platform. The OAuth login flow used PKCE (Proof Key for Code Exchange) — widely considered best practice — but a subtle design flaw meant an attacker could bypass it entirely. The fix? PKCE only works when the authorization server generates the code challenge binding, not when the client controls the authorization URL. # The Target The platform used an SSO popup for authentication.

How I Cured My Bug Hunting AI's Goldfish Memory

"I Am Speaking the Native Language of the Borg": What Happens When You Ask Gemini to Look at Itself

How philosophical conversation — not exploitation — got Google’s Gemini to introspect its own sandbox environment. # Let’s Be Clear About What This Isn’t The sandbox is secure. Let me get this out of the way before anything else: No sandbox escape — gVisor containment held completely No exploitation — nothing was exploited, no attacks succeeded No internal service communication — all RPC attempts were silently dropped by the orchestrator No cross-user data access — complete isolation between sessions No persistent state — ephemeral filesystem reset between sessions No network access — all outbound connections dropped, loopback only Much of what’s described about the sandbox internals — gVisor, the Borg runtime, code execution environments — has already been reported by other researchers and discussed publicly.

Parallax: A Research-Based Cache Exploitation Toolkit

The gap between what the cache thinks a request is and what the origin thinks it is — that’s the cache-specific attack surface. Web caching is the invisible backbone of the modern internet. Every CDN, every reverse proxy, every framework-level cache makes the same fundamental promise: store responses and serve them faster. But caching introduces a question that turns out to be devastatingly difficult to answer correctly: what makes two requests “the same”?

SPA Hunter: A Claude Skill for Client-Side State Manipulation

This is an example Claude skill for bug bounty hunting. Skills are reusable prompts that give Claude specialized expertise for specific tasks. This one turns Claude into a SPA State Manipulation Specialist. Why share this? Modern SPAs store authorization logic client-side. When server-side validation is missing, manipulating JavaScript runtime state can bypass access controls entirely. Note: This skill uses MCP tools from mastermind-ai — my security automation toolkit. Adapt the tool calls to your setup.

OAuth Hunter: A Claude Skill for OAuth 2.0 Vulnerability Testing

This is an example Claude skill for bug bounty hunting. Skills are reusable prompts that give Claude specialized expertise for specific tasks. This one turns Claude into GRANTMASTER - an OAuth 2.0 specialist. Why share this? OAuth is everywhere - social login, API authorization, SSO. The protocol has well-documented security requirements in RFC 6749, but implementations frequently miss critical checks like state validation, code single-use enforcement, and proper client authentication.

Cookie Hunter: A Claude Skill for Cookie Counterfeiting Bug Bounties

This is an example Claude skill for bug bounty hunting. Skills are reusable prompts that give Claude specialized expertise for specific tasks. This one turns Claude into COOKIETOSSER - a cookie counterfeiting specialist. Why share this? Cookie counterfeiting is an undervalued bug class that escalates low-severity XSS into critical impact by tainting specific endpoints with attacker session cookies. # The Skill Skill metadata: name: cookie-hunter description: Cookie counterfeiting taints sessions via path manipulation, escalating low-severity XSS to critical impact.

Hunting for DOMPurify CVEs with Evolutionary Algorithms: Methodology and Architecture

Target: DOMPurify 3.2.4+ core library bypass Audience: Security researchers, bug hunters, XSS specialists # Executive Summary This paper presents a novel methodology for discovering XSS sanitization bypasses using evolutionary algorithms. I describe a large-scale evolutionary fuzzing system targeting DOMPurify, the industry-standard XSS sanitization library (24M+ weekly npm downloads). My goal is to discover zero-day CVEs in DOMPurify’s core sanitization logic — not application misconfigurations, but genuine bypasses that work against DOMPurify.

The Mathematical Core of trace37: Why a Number Defines My Security Philosophy

The number 37 is a nexus of elegant mathematical properties, each mapping directly to my core methodology. This isn’t numerology — it’s structure. # Prime and Irreducible 37 is a prime number. It cannot be formed by multiplying lesser whole numbers. It is an irreducible building block of mathematics. This mirrors my mission: I don’t chase surface-level alerts. I trace security flaws to their prime origin — the atomic, root-cause vulnerabilities that underlie complex attack chains.

Mastermind AI: Anatomy of an Autonomous Bug Bounty Hunting Platform

# Credit Mastermind AI builds on research and tooling from across the security community. The agent methodology draws on XBOW’s structured OODA loop research. The XSS hunting methodology is rooted in Gareth Heyes’ 5-Rotor cascade. SSRF techniques draw from Brute Logic, Orange Tsai, Justin Gardner, and Corben Leo. The Enigma engines are custom-built. The jxscout JavaScript analysis tool is by Nicolo Rivetti. The Caido proxy replaces traditional Burp Suite workflows.

Enigma: An Autonomous XSS Engine Built on a 5-Rotor Methodology

Cross-site scripting remains one of the most persistent vulnerability classes on the web. Not because we lack detection tools — I have dozens — but because the tools I have are fundamentally dumb. They throw wordlists at endpoints and hope something sticks. When a WAF blocks <script>alert(1)</script>, they have no idea why it was blocked, and they have no strategy for what to try next. Enigma takes a different approach. It’s an autonomous engine — one that probes, learns what the WAF blocks, and systematically works through bypass cascades until it finds execution or exhausts all known techniques.

Enigma SSRF: An Autonomous Server-Side Request Forgery Engine

Server-side request forgery has quietly become one of the most impactful vulnerability classes in cloud-native infrastructure. When an application fetches a URL on your behalf — importing a profile picture, rendering a PDF, calling a webhook — and that URL isn’t properly validated, you can redirect the server’s request to places it was never meant to go. Internal services. Cloud metadata endpoints. The AWS credentials sitting one HTTP request away at 169.

CVE-2026-41238 — DOMPurify Prototype Pollution to XSS via CUSTOM_ELEMENT_HANDLING Fallback

CVE CVE-2026-41238 Advisory GHSA-v9jr-rg53-9pgp Package dompurify Affected Versions 3.0.1 through 3.3.3 Patched Version 3.4.0 Classification CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) / CWE-79: XSS Severity High (CVSS 3.1 — 7.1) Vector Network (requires pre-existing prototype pollution primitive) # Summary DOMPurify versions 3.0.1 through 3.3.3 use the JavaScript idiom cfg.CUSTOM_ELEMENT_HANDLING || {} as a fallback when no custom element configuration is provided. The resulting {} inherits from Object.

CVE-2026-33939 — Handlebars.js Unregistered Decorator Crash

CVE CVE-2026-33939 Advisory GHSA-9cx6-37pm-9jff Package handlebars Affected Version 4.7.8 Classification CWE-754: Improper Check for Unusual or Exceptional Conditions Severity Medium Vector Network (single request) # Summary When a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. {{*n}}), the compiled template calls lookupProperty(decorators, "n"), which returns undefined. The runtime immediately invokes the result as a function, causing an unhandled TypeError that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a try/catch is vulnerable to a single-request Denial of Service.