DOM Clobbering Wiki


Nested Window Proxies

These markups use the Iframe srcdoc rule (R4) to create nested window proxies that are named with x and y, respectively.

Similarly to the previous group of markups, it uses the rule R1 or R2 to clobber the base object. Then, the stacked iframes enable attackers to exploit frame navigation features to clobber object properties like x.y.

Name Rule Target Target Type Reference Type Tag 1 Tag 2 Attribute 1 Attribute 2 Relation Total
Nested Window Proxies R4 + R1, R4 + R2 x.y, window.x.y, document.x.y Object Property, Variable WindowProxy iframe iframe name=x name=y srcdoc 1