It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses
DOM Clobbering is a type of code-less injection attack where attackers insert a piece of non-script, seemingly benign HTML markup into a webpage and transform it to executable code by exploiting the unforeseen interactions between JavaScript code and the runtime environment. The attack techniques, b...
Gespeichert in:
| Veröffentlicht in: | Proceedings - IEEE Symposium on Security and Privacy S. 1041 - 1058 |
|---|---|
| Hauptverfasser: | , |
| Format: | Tagungsbericht |
| Sprache: | Englisch |
| Veröffentlicht: |
IEEE
01.05.2023
|
| Schlagworte: | |
| ISSN: | 2375-1207 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | DOM Clobbering is a type of code-less injection attack where attackers insert a piece of non-script, seemingly benign HTML markup into a webpage and transform it to executable code by exploiting the unforeseen interactions between JavaScript code and the runtime environment. The attack techniques, browser behaviours, and vulnerable code patterns that enable DOM Clobbering has not been studied yet, and in this paper, we undertake one of the first evaluations of the state of DOM Clobbering on the Web platform. Starting with a comprehensive survey of existing literature and dynamic analysis of 19 different mobile and desktop browsers, we systematize DOM Clobbering attacks, uncovering 31.4K distinct markups that use five different techniques to unexpectedly overwrite JavaScript variables in at least one browser. Then, we use our systematization to identify and characterize program instructions that can be overwritten by DOM Clobbering, and use it to present TheThing, an automated system that detects clobberable data flows to security-sensitive instructions. We instantiate TheThing on the top of the Tranco top 5K sites, quantifying the prevalence and impact of DOM Clobbering in the wild. Our evaluation uncovers that DOM Clobbering vulnerabilities are ubiquitous, with a total of 9,467 vulnerable data flows across 491 affected sites, making it possible to mount arbitrary code execution, open redirections, or client-side request forgery attacks also against popular websites such as Fandom, Trello, Vimeo, TripAdvisor, WikiBooks and GitHub, that were not exploitable through the traditional attack vectors. Finally, in this paper, we also evaluate the robustness of the existing countermeasures, such as HTML sanitizers and Content Security Policy, against DOM Clobbering. |
|---|---|
| AbstractList | DOM Clobbering is a type of code-less injection attack where attackers insert a piece of non-script, seemingly benign HTML markup into a webpage and transform it to executable code by exploiting the unforeseen interactions between JavaScript code and the runtime environment. The attack techniques, browser behaviours, and vulnerable code patterns that enable DOM Clobbering has not been studied yet, and in this paper, we undertake one of the first evaluations of the state of DOM Clobbering on the Web platform. Starting with a comprehensive survey of existing literature and dynamic analysis of 19 different mobile and desktop browsers, we systematize DOM Clobbering attacks, uncovering 31.4K distinct markups that use five different techniques to unexpectedly overwrite JavaScript variables in at least one browser. Then, we use our systematization to identify and characterize program instructions that can be overwritten by DOM Clobbering, and use it to present TheThing, an automated system that detects clobberable data flows to security-sensitive instructions. We instantiate TheThing on the top of the Tranco top 5K sites, quantifying the prevalence and impact of DOM Clobbering in the wild. Our evaluation uncovers that DOM Clobbering vulnerabilities are ubiquitous, with a total of 9,467 vulnerable data flows across 491 affected sites, making it possible to mount arbitrary code execution, open redirections, or client-side request forgery attacks also against popular websites such as Fandom, Trello, Vimeo, TripAdvisor, WikiBooks and GitHub, that were not exploitable through the traditional attack vectors. Finally, in this paper, we also evaluate the robustness of the existing countermeasures, such as HTML sanitizers and Content Security Policy, against DOM Clobbering. |
| Author | Pellegrino, Giancarlo Khodayari, Soheil |
| Author_xml | – sequence: 1 givenname: Soheil surname: Khodayari fullname: Khodayari, Soheil email: soheil.khodayari@cispa.de organization: CISPA Helmholtz Center for Information Security,Saarbrücken,Germany – sequence: 2 givenname: Giancarlo surname: Pellegrino fullname: Pellegrino, Giancarlo email: pellegrino@cispa.de organization: CISPA Helmholtz Center for Information Security,Saarbrücken,Germany |
| BookMark | eNo1j81Kw0AYAFdRsKm-gcLeVGjit7_J9lZSrYVKC-ZedjdfNJpuNRsF315BPc1tmEnIUdgHJOSCQcYYmJvHjdScqYwDFxkDlhsJ4oAkTGsljRBaHpIRF7lKGYf8hCQxvgBwEEaOyGI5XEZ6NV8_XNOy2zuHfRueaNXucEpnw2D9K63QP4f2_QPjhG56_LQdBo8TakNN59hgiBhPyXFju4hnfxyT6u62Ku_T1XqxLGertOWKDal3gF7U_iccvCw0WqNAcWnB5V4a13CUti60KtB5ywyCzEWj8rrw2tZOjMn5r7ZFxO1b3-5s_7X9nxbf0qBMTQ |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IH CBEJK RIE RIO |
| DOI | 10.1109/SP46215.2023.10179403 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP) 1998-present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 1665493364 9781665493369 |
| EISSN | 2375-1207 |
| EndPage | 1058 |
| ExternalDocumentID | 10179403 |
| Genre | orig-research |
| GroupedDBID | 23M 29O 6IE 6IF 6IH 6IL 6IN AAJGR AAWTH ABLEC ACGFS ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IJVOP M43 OCL RIE RIL RIO RNS |
| ID | FETCH-LOGICAL-i251t-cb0ec3dc1100c486ea950524a0b7c49bf2e4ad8658ebca19e0473f57d8c6adb3 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 5 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=001035501501003&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 27 02:03:38 EDT 2025 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i251t-cb0ec3dc1100c486ea950524a0b7c49bf2e4ad8658ebca19e0473f57d8c6adb3 |
| OpenAccessLink | https://figshare.com/articles/conference_contribution/It_s_DOM_Clobbering_Time_Attack_Techniques_Prevalence_and_Defenses/24614682 |
| PageCount | 18 |
| ParticipantIDs | ieee_primary_10179403 |
| PublicationCentury | 2000 |
| PublicationDate | 2023-May |
| PublicationDateYYYYMMDD | 2023-05-01 |
| PublicationDate_xml | – month: 05 year: 2023 text: 2023-May |
| PublicationDecade | 2020 |
| PublicationTitle | Proceedings - IEEE Symposium on Security and Privacy |
| PublicationTitleAbbrev | SP |
| PublicationYear | 2023 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0020394 |
| Score | 2.30094 |
| Snippet | DOM Clobbering is a type of code-less injection attack where attackers insert a piece of non-script, seemingly benign HTML markup into a webpage and transform... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 1041 |
| SubjectTerms | Attack Techniques Codes Defenses DOM Clobbering HTML Prevalence Robustness Runtime environment Surveys Taxonomy Transforms |
| Title | It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses |
| URI | https://ieeexplore.ieee.org/document/10179403 |
| WOSCitedRecordID | wos001035501501003&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NSwMxEA1aPHjyq-I3OQgqdNtsk90k3qS1Kmgt2ENvJR9TKMpWult_v0l2t-LBg7cQCAuTLPMmmfceQpdUJl2bqsQdXsIjRhmJBEt8_xMXrGt1nNjgWvLMh0MxmchRRVYPXBgACM1n0PbD8JZvF2blr8o65fHx2p6bnPOSrLWurgiVrKLoxER23kYsdems7e3B2_XCXxYqIYMMdv757V3U_OHi4dE6y-yhDcj20U5txoCrf_MAPTwVVzm-7r--3ODex0LroDGIPcXjFt8VhTLveFwLtuYt7LWbVGActbDKLO7DzFW0kDfReHA_7j1GlUtCNHfYpIiMJmCoNV77zTCRgpLenI4porlhUs-6wJQVDmn4vqdYAmGczhJuhUmV1fQQNbJFBkcImxS0QwzKlRyKSUaVsODgiQMVIGgawzFq-rhMP0sdjGkdkpM_5k_Rto9-2R54hhrFcgXnaMt8FfN8eRF27xumrZg2 |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1dS8MwFA0yBX2aHxO_zYOgwrq1Tdomvsnm3HCbA_uwt5EmdzCUTtbO32-SthMffPAtBEIgH9xzk3vOQeiG8MBXoQj04XUjhxLqOowGpv4pYtRXiRco61oyjMZjNp3ySUlWt1wYALDFZ9AyTfuXr5ZybZ7K2sXxMdqe2wGlvlfQtTb5lUs4LUk6nsvbbxMa6oDWMgbhrWroLxMVG0N69X_Ovo8aP2w8PNnEmQO0Bekhqld2DLi8nUfoeZDfZviu-zq6x52PZZJYlUFsSB4P-DHPhXzHcSXZmjWxUW8SlnPUxCJVuAtzndNC1kBx7ynu9J3SJ8FZaHSSOzJxQRIljfqbpCwEwY09HRVuEknKk7kPVCimsYapfPI4uDQi8yBSTIZCJeQY1dJlCicIyxASjRmETjoE5ZQIpkADFA0rgJHQg1PUMOsy-yyUMGbVkpz90X-NdvvxaDgbDsYv52jP7ERRLHiBavlqDZdoR37li2x1ZXfyG8Obm30 |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=proceeding&rft.title=Proceedings+-+IEEE+Symposium+on+Security+and+Privacy&rft.atitle=It%27s+%28DOM%29+Clobbering+Time%3A+Attack+Techniques%2C+Prevalence%2C+and+Defenses&rft.au=Khodayari%2C+Soheil&rft.au=Pellegrino%2C+Giancarlo&rft.date=2023-05-01&rft.pub=IEEE&rft.eissn=2375-1207&rft.spage=1041&rft.epage=1058&rft_id=info:doi/10.1109%2FSP46215.2023.10179403&rft.externalDocID=10179403 |