# Dom Clobbering DOM Clobbering is a technique where global variables can be overwritten or "clobbered" by naming HTML elements with certain IDs or names. This can cause unexpected behavior in scripts and potentially lead to security vulnerabilities. ## Basic It's possible to generate global variables inside the JS context with the attributes `id` and `name` in HTML tags. ```javascript
``` **Only** certain elements can use the name attribute to **clobber globals**, they are: * `embed` * `form` * `iframe` * `image` * `img` * `object` ## Exploit Exploitation requires any kind of HTML injection in the page. * Clobbering `x.y.value` ```javascript // Payload
I've been clobbered // Sink ``` * Clobbering `x.y` using ID and name attributes together to form a DOM collection ```javascript // Payload // Sink ``` * Clobbering `x.y.z` - 3 levels deep ```javascript // Payload
// Sink ``` * Clobbering `a.b.c.d` - more than 3 levels ```javascript // Payload // Sink ``` * Clobbering forEach (Chrome only) ```javascipt // Payload
// Sink ``` * Clobbering `document.getElementById()` using `` or `` tag with the same id attribute ```javascript // Payloads clobbered clobbered // Sink ``` * Clobbering `x.username` ```javascript // Payload
// Sink ``` * Clobbering (Firefox only) ```javascript // Payload // Sink ``` * Clobbering (Chrome only) ```javascript // Payload // Sink ``` ## Filter Bypassing If a filter is looping through the properties of a node using something like `document.getElementByID('x').attributes` you could clobber the attribute `.attributes` and break the filter. Other DOM properties like `tagName`, `nodeName` or `parentNode` and more are also clobberable. ```javascript
``` ## Clobbering Forms It's possible to add new entries inside a form just by specifying the `form` attribute inside some tags. You can use this to add new values inside a form and to even add a new button to send it (clickjacking or abusing some `.click()` JS code): ```javascript ``` * For more form attributes in [W3S](https://www.w3schools.com/tags/tag_button.asp) ## Tools * [**DOM Invader**](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling) is preinstalled in Burp's browser, but is disabled by default as some of its features may interfere with your other testing activities.