DOM Clobbering
from HTML injection to controlling JS variables
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742697/pasted-from-clipboard.png)
xanhacks - HitchHack 2023
https://slides.com/xanhacks/dom-clobbering/
image: https://portswigger.net/research/dom-clobbering-strikes-back
Definition
Define (and occasionally manipulates)
Javascript variables from HTML
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742125/pasted-from-clipboard.png)
You do not write JS code, you can only manipulate a variable that has not been defined.
![](https://media0.giphy.com/media/jq6V2Yf2hdvazwYQtW/giphy.gif)
HTML Injection != Javascript Injection
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742208/pasted-from-clipboard.png)
- Rich text input
-
Can be found in:
- Forum post
- Discord message
-
You can define:
- title, bold, italic, link, images...
- but obviously no JS script
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742184/pasted-from-clipboard.png)
index.html
script.js
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742186/pasted-from-clipboard.png)
HTML Injection
Vulnerable JS (sink)
Attack scenarios
Example n°1 - Redirection
Text
Attack scenarios
index.html
script.js
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742186/pasted-from-clipboard.png)
HTML Injection
Vulnerable JS (sink)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742200/pasted-from-clipboard.png)
Example n°2 - JS Execution
Attack scenarios
Prerequisites : HTML Injection & JS Sink
Goal : JavaScript execution
Advantages
- Often bypass CSP (Content-Security-Policy)
- DOM Clobbering attacks are almost unknown
Disadvantage
- Very rare to get an HTML injection AND a sink
Theory
What to clobber?
Some HTML attributes
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742854/pasted-from-clipboard.png)
https://github.com/xanhacks/DOM-Clobbering-Generator/
What to clobber?
id or name
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742958/pasted-from-clipboard.png)
We can also create a variable using the name property, but this works only for:
-
embed
,form
,iframe
,image
,img
,object
What to clobber?
Three levels
We can use form to clobber variables at a depth of 3
first.second.third
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10742981/pasted-from-clipboard.png)
What to clobber?
More than three levels
We can use iframe to clobber variables at a depth of 4 and more
first.second.third.fourth first.second.third.fourth.fifth...
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10746254/pasted-from-clipboard.png)
![](https://media0.giphy.com/media/Koiq0QCBcn6gbmLtZR/giphy.gif)
Real world use-case
[html-janitor] Arbitrary HTML can bypass the sanitization process
https://hackerone.com/reports/308158
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10746223/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10746262/pasted-from-clipboard.png)
Practice DOM Clobbering attacks
- https://portswigger.net/web-security/dom-based/dom-clobbering
- https://www.root-me.org/fr/Challenges/Web-Client/DOM-Clobbering
Challenges
![](https://media3.giphy.com/media/j1Xyt3DHfJcmk/giphy.gif)
Whoami
@xanhacks
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10746268/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10746274/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10746278/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10746282/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1895645/images/10746289/pasted-from-clipboard.png)
![](https://media4.giphy.com/media/cfwyfLSvIay6TdkKdU/giphy.gif)
https://www.offensiveweb.com/
End! Question?
DOM Clobbering
By xanhacks
DOM Clobbering
- 337