DOM Clobbering Wiki
Stable
HTMLCollections
When two or more elements have the same id or name in the DOM tree, browsers create an array-like object called HTMLCollection, which contains all elements with the same id.
Elements inside HTMLCollections can accessed by (i) their index in the collection and (ii) their id and name. Attackers can exploit feature (i) to clobber arrays and loop elements (e.g., x and x[i]), where the length of the array can be controlled by the number of elements with the same id in the payload. Also, they can leverage feature (ii) to create payloads that clobber properties like x.x and x.y, where x references the collection, x.x points to the first element in the collection with id x, and finally x.y refers to the first element with id x and name y (see, e.g., here)
| Name | Rule | Target | Target Type | Reference Type | Tag 1 | Tag 2 | Attribute 1 | Attribute 2 | Relation | Total |
|---|---|---|---|---|---|---|---|---|---|---|
| HTMLCollections | R5 + R1, R5 + R2 | x.x, window.x.x | Object Property, Variable | HTMLCollection | any | any | id=x | id=x | child, sibling | 141 |
| document.x.x | Object Property | HTMLCollection | object, img, image | object, img, image | id=x | id=x | child, sibling | 3 | ||
| x.y, window.x.y | Object Property, Variable | HTMLCollection | any | any | id=x, name=y | id=x | child, sibling | 141 | ||
| document.x.y | Object Property | HTMLCollection | object, img, image | object, img, image | id=x, name=y | id=x | child, sibling | 3 |