DOM Clobbering Wiki
Stable
Defenses and Mitigation Techniques
This section presents existing mitigation techniques against DOM Clobbering.
Secure Coding Patterns
DOM Clobbering vulnerabilities can be mitigated via secure coding patterns, such as namespace isolation
, where developers seperate the namespace of named properties, and JavaScript variables, e.g., by prefixing id
and name
properties of dynamically inserted DOM elements.
For more information, please refer to the documentation for secure coding patterns and practices.
HTML Sanitization
HTML sanitizers can sanitize the input markups before adding them to the DOM tree, e.g., by removing the id
and name
attributes from potentially dangerous HTML markups.
Recently, the community is considering to incorporate a new, native sanitizer API in web browsers to mitigate injection-based vulnerabilites.
At its current state, however, the new sanitizer API does not prevent DOM Clobbering by default, requiring developers to explicitly opt-into DOM Clobbering protection. This would completely remove id
and name
attributes for all HTML tags and may disrupt legitimate functionalities that require those attributes.
Content Security Policy (CSP)
When attackers can clobber the src
attribute of dynamically created scripts, they can load and execute arbitrary JavaScript code. In these cases, the CSP script-src directive can be used to constrain the value of script sources to a set of trusted domains, preventing attacker-loaded code to be executed[1, 2].
However, unlike malicious JavaScript injected by the attacker, injected HTML code is not blocked by CSP. Accordingly, CSP does not mitigate other variants of DOM Clobbering that do not require script src
manipulation, e.g., clobbering the parameters of dynamic code evaluation constructs eval
or new Function()
can lead to CSP-bypassable XSS.
Non-Configurable Object Properties
Another way to mitigate DOM Clobbering is to mark DOM object properties as configurable: false
, e.g., via Object.defineProperty()
(see [3] for more strategies). For example:
// Define a non-configurable property on document to prevent DOM
// Clobbering from shadowing it.
Object.defineProperty(document, '<PROPERTY>', {
value: "<VALUE>", // the (initial) value
configurable: false, // prevent redefinition, deletion, and clobbering
enumerable: true, // [OPTIONAL] make it visible during enumeration
writable: false, // [OPTIONAL] prevent changes to the value
});
While effective, there are some caveats. First, determining all object properties that need to be marked in this way is a non-trivial, error-prone task. Second, this approach does not work if the property is clobbered before defining it.
Disabling DOM Clobbering
DOM Clobbering can be solved by disabling named properties in web browsers (see also here and here).
However, according to Chrome telemetry, disabling named properties for clobbered variable accesses could break ~10.5% of the webpages as of April 2022.
References
-
Lekies, Sebastian and Kotowicz, Krzysztof and Gross, Samuel and Vela Nava, Eduardo A and Johns, Martin, “Code-reuse attacks for the web: Breaking cross-site scripting mitigations via script gadgets”, CCS, 2017. Link
-
Michał Bentkowski, XSS in GMail’s AMP4Email via DOM Clobbering, 2019. Link
-
Mario Heiderich and Marcus Niemietz and Jorg Schwenk, “Waiting for CSP – Securing Legacy Web Applications with JSAgents”, ESORICS, 2015. Link