DOMC-BT

Website | Browser Testing | Wiki | Markups | Payload Generator

A comprehensive framework for testing web browsers against DOM Clobbering. DOMC-BT exhaustively generates test cases of candidate DOM Clobbering markups and automatically tests them against web browsers.

DOMC-BT complements TheThing a static-dynamic security analysis tool for DOM clobbering based on JAW.

DOMC-BT has a website available at https://soheilkhodayari.github.io/DOMClobbering.

HTML Sanitizer Testing Pipeline: Please see the HTML-ST repository!

• Automated Browser Testing
  • A django webapp that serves DOM Clobbering test pages
    • Test your browser by visiting a single URL
    • Dockerized container
  • Run test cases against a pool of browser instances from BrowserStack
• DOM Clobbering Attack Payload Generator
  • Online demo
• Interactive List of Clobbering Payloads
  • Clobbering Markups for mobile and desktop browsers
  • Online demo
• DOM Clobbering Wiki
  • Clobbering techniques
  • Vulnerable code patterns
  • Defenses
  • Online demo

DOM Clobbering is an attack technique where the attacker achieves arbitrary client-side code execution by injecting a non-script HTML markup into a vulnerable webpage and transform the initially secure markup into executable code.

DOM Clobbering originates from a naming collision between JavaScript variables and named HTML markups, where attackers confuse the web application by injecting HTML elements whose id or name attribute matches the name of security-sensitive variables, such as variables used for fetching remote content (e.g., script src).

For more information, See here.

You can build the tool by:

$ docker-compose build web
$ docker-compose build browserstack

Run the web application that serves the test DOM Clobbering webpages:

$ docker-compose up web

Now, you should be able to visit the list of tests on http://127.0.0.1:3000, and run any of them in your browser by clicking on the links.

Note: The test pages automatically redirect to the next test webpage, therefore clicking the first test is sufficinet to run all the test cases.

You can use BrowserStack to run the DOM clobbering testsuite for many browsers simultaneously.

Step 1: specify the browser configurations you would like to test in a .json file. See here for more information about available list of browsers. You can find an example in browser_capabilities.json in the root project directory.

Step 2: Run the webapp hosting the test pages, and setup a proxy so that BrowserStack can access this webapp:

$ docker-compose up web
$ ./browserstack_proxy ACCOUNT_KEY

Note: In the above command, replace ACCOUNT_KEY with your BrowserStack access key.

Note: For setting up the proxy, you may need to download the appropriate BrowserStack binary and rename it to BrowserStackLocal. For more information, refer to the official BrowserStack local testing documentation.

Step 3: Run the automated docker service called browserstack to execute the tests:

$ docker-compose up browserstack

The raw data of DOM Clobbering markups are available in the domc_markups folder in the root project directory for different mobile and desktop browsers and browser versions.

An interactive version of clobbering markups is available online here, which provides an online browser testing solution. For testing each markup in your browser, simply click on it.

Found a new clobbering markup not in the online list and that you would like to share? Then, open up a new PR here.

This repository features one of the first online wikis for DOM Clobbering accessible at https://soheilkhodayari.github.io/DOMClobbering.

The markdown files of the wiki are available in the domc_wiki folder in the project root directory.

This repository uses the Jekyll just-the-docs as a GitHub pages remote theme, with the configuration specified in _config.yaml:

remote_theme: just-the-docs/just-the-docs
color_scheme: "dark"

Docker: You can build and run this Wiki inside a Docker container with:

$ docker-compose build wiki
$ docker-compose up wiki

Host Machine: alternatively, you can build it inside your host machine with:

$ gem install just-the-docs
$ bundle exec jekyll serve

For more information, please refer to the official just-the-docs and Jekyll documentations.

The repository uses Github Actions to automatically build and publish a static version of the DOM Clobbering Wiki with Jekyll once a commit is merged with the master branch (i.e., a Pull Request is accepted).

For any questions, suggestions, feedback or concerns, please raise an issue in the repository.

Bug reports and pull requests are more than welcomed on GitHub. For more information, please refer to contribution guidelines.

This project is intended to be a safe, welcoming space, and contributors are expected to adhere to the contributor code of conduct.

The contents of this repository has been published as a part of a IEEE S&P'23 paper. If you use DOMC-BT for academic research, we encourage you to cite the following paper:

@inproceedings {SKhodayariSP23TheThing,
  author = {Soheil Khodayari and Giancarlo Pellegrino},
  title = {It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses,
  booktitle = {To Appear at proceedings of the 44rd IEEE Symposium on Security and Privacy},
  year = {2023},
}

We thank the BrowserStack Open-Source Program for supporting this project.