DOM Vulnerabilities - Exploiting DOM Clobbering to Enable XSS

Support This Channel ====================== Please like and subscribe, it means a lot! Please buy me a coffee so I can continue to make content. https://buymeacoffee.com/zenshell Join our Discord   / discord   The video provides a detailed walkthrough of exploiting DOM Clobbering to enable cross-site scripting (XSS) in an expert-level lab. We being by explaining the concept of clobbering, which involves overwriting memory locations either unintentionally, like a developer overwriting new code with an outdated version, or intentionally by a hacker to alter code execution. The lab focuses on a simple HTML document with two anchor tags having the same ID, which is usually against HTML practices. This setup leads to non-standard browser behavior where properties are added to the window object based on element IDs, but this behavior is not consistent across browsers. The lab demonstrates how, in Chrome, accessing a window property with the ID of these elements returns an HTML collection, which can be manipulated. The presenter shows how exploiting this behavior can lead to an XSS vulnerability by manipulating the value of a variable that a function depends on, without directly injecting into the function itself. The lab further delves into the prerequisites for the attack, the setup of the HTML document, and the non-standard behavior of browsers regarding window properties. The video highlights the importance of unique IDs in HTML and how browsers may implement this functionality differently, which developers should not rely on. The attack is carried out in a blog post comment section, where the presenter demonstrates how to manipulate the default avatar image source by injecting HTML through the comment. The video explains the process in detail, including the challenges faced due to browser differences and the mechanisms in place like DOM Purify that attempt to sanitize input to prevent such vulnerabilities. Despite these mechanisms, the lab shows how a carefully crafted payload can bypass sanitization by exploiting the non-standard behavior and the nuances of HTML and URL encoding. In the end, the lab succeeds in enabling an XSS attack vector through DOM clobbering, emphasizing the complexity and counterintuitive aspects of this vulnerability, the importance of understanding browser behavior, encoding techniques, and the limitations of sanitization libraries like DOM Purify in preventing such attacks. 00:00 Intro 00:22 What is Clobbering? 01:32 Clobbering Window Properties 04:51 What is a HTMLElement Anyway? 05:57 Exploring the Lab 07:06 Exploring the JavaScript 09:53 Initial Payload with Simple Injection 13:13 Understanding Concatenation of DOM Nodes 15:12 2nd Payload with Breakout Attempt 18:34 Introducing CID Directive 21:51 Third Payload with CID Directive 23:07 Eliminating Trailing Double Quote 24:11 Solving the Lab 25:23 Bypassing DOMPurify 31:11 SUMMARY of Key Concepts