DOM Clobbering
from HTML injection to controlling JS variables
xanhacks - HitchHack 2023
https://slides.com/xanhacks/dom-clobbering/
image: https://portswigger.net/research/dom-clobbering-strikes-back
Definition
Define (and occasionally manipulates)
Javascript variables from HTML
You do not write JS code, you can only manipulate a variable that has not been defined.
HTML Injection != Javascript Injection
- Rich text input
-
Can be found in:
- Forum post
- Discord message
-
You can define:
- title, bold, italic, link, images...
- but obviously no JS script
index.html
script.js
HTML Injection
Vulnerable JS (sink)
Attack scenarios
Example n°1 - Redirection
Text
Attack scenarios
index.html
script.js
HTML Injection
Vulnerable JS (sink)
Example n°2 - JS Execution
Attack scenarios
Prerequisites : HTML Injection & JS Sink
Goal : JavaScript execution
Advantages
- Often bypass CSP (Content-Security-Policy)
- DOM Clobbering attacks are almost unknown
Disadvantage
- Very rare to get an HTML injection AND a sink
Theory
What to clobber?
Some HTML attributes
https://github.com/xanhacks/DOM-Clobbering-Generator/
What to clobber?
id or name
We can also create a variable using the name property, but this works only for:
-
embed,form,iframe,image,img,object
What to clobber?
Three levels
We can use form to clobber variables at a depth of 3
first.second.third
What to clobber?
More than three levels
We can use iframe to clobber variables at a depth of 4 and more
first.second.third.fourth first.second.third.fourth.fifth...
Real world use-case
[html-janitor] Arbitrary HTML can bypass the sanitization process
https://hackerone.com/reports/308158
Practice DOM Clobbering attacks
- https://portswigger.net/web-security/dom-based/dom-clobbering
- https://www.root-me.org/fr/Challenges/Web-Client/DOM-Clobbering
Challenges
Whoami
@xanhacks
https://www.offensiveweb.com/
End! Question?