From abe6e548ade5ff257362ad86f0aa94f89446f3ab Mon Sep 17 00:00:00 2001 From: Mehdi Date: Fri, 8 Sep 2023 15:44:38 +0330 Subject: [PATCH] Create Dom Clobbering.md --- Dom Clobbering.md | 229 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 Dom Clobbering.md diff --git a/Dom Clobbering.md b/Dom Clobbering.md new file mode 100644 index 0000000..67ec97b --- /dev/null +++ b/Dom Clobbering.md @@ -0,0 +1,229 @@ +# Dom Clobbering +DOM Clobbering is a technique where global variables can be overwritten or "clobbered" by naming HTML elements with certain IDs or names. This can cause unexpected behavior in scripts and potentially lead to security vulnerabilities. + +## Basic +It's possible to generate global variables inside the JS context with the attributes `id` and `name` in HTML tags. +```javascript +
+ +``` + +**Only** certain elements can use the name attribute to **clobber globals**, they are: +* `embed` +* `form` +* `iframe` +* `image` +* `img` +* `object` + + + +## Exploit +Exploitation requires any kind of HTML injection in the page. + +* Clobbering `x.y.value` +```javascript +// Payload +
I've been clobbered + +// Sink + +``` + +* Clobbering `x.y` using ID and name attributes together to form a DOM collection +```javascript +// Payload + + +// Sink + +``` +* Clobbering `x.y.z` - 3 levels deep +```javascript +// Payload + +
+ +// Sink + +``` + +* Clobbering `a.b.c.d` - more than 3 levels +```javascript +// Payload + + + +// Sink + +``` + +* Clobbering forEach (Chrome only) +```javascipt +// Payload +
+ + +
+ +// Sink + +``` + +* Clobbering `document.getElementById()` using `` or `` tag with the same id attribute +```javascript +// Payloads +clobbered +clobbered + + +// Sink + +``` + +* Clobbering `x.username` +```javascript +// Payload +
+ +// Sink + +``` + +* Clobbering (Firefox only) +```javascript +// Payload + + +// Sink + +``` + +* Clobbering (Chrome only) +```javascript +// Payload + + +// Sink + +``` + +## Filter Bypassing +If a filter is looping through the properties of a node using something like `document.getElementByID('x').attributes` you could clobber the attribute `.attributes` and break the filter. Other DOM properties like `tagName`, `nodeName` or `parentNode` and more are also clobberable. +```javascript +
+
+ +
+ +``` + +## Clobbering Forms +It's possible to add new entries inside a form just by specifying the `form` attribute inside some tags. You can use this to add new values inside a form and to even add a new button to send it (clickjacking or abusing some `.click()` JS code): +```javascript + + + +``` +* For more form attributes in [W3S](https://www.w3schools.com/tags/tag_button.asp) + +## Tools +* [**DOM Invader**](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling) is preinstalled in Burp's browser, but is disabled by default as some of its features may interfere with your other testing activities. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +