soheilkhodayari / domclobbering Goto Github PK
View Code? Open in Web Editor NEWDOM Clobbering Wiki, Browser Testing, and Payload Generation
Home Page: https://domclob.xyz
License: GNU General Public License v3.0
DOM Clobbering Wiki, Browser Testing, and Payload Generation
Home Page: https://domclob.xyz
License: GNU General Public License v3.0
Add a link to the OWASP cheat sheet in the main page, which has been created with this PR.
Check the test server build status via Github actions automatically after each commit.
The just-the-docs theme seem to access the static assets over HTTP
by default rather than HTTPS
(see here). To avoid this, the url
attribute must be set in the configuration file.
The current JS syntax highlighter script is not working properly for some of the code snippets in the markups list page.
It would be good to replace it with a more advanced syntax highlighting library, like Monaco.
The snippet for online testing of clobbering markups has a syntax error in line 184 (missing closing bracket).
if (v && (!isNaN(v) || v.toString().indexOf('HTML') > -1 || v.toString().indexOf('Element') > -1
|| v.toString().indexOf('Collection') > -1 || v.toString().indexOf('Window') > -1) {
is_clobbered = true;
}
The affected webpage is https://domclob.xyz/domc_markups/list.
Here is a correction for the paper as well as the domclob.xyz
website about the DOM Clobbering markups. Contrary to previous findings, iframe
HTML element with id=x
attribute cannot clobber the DOM Tree Accessors (i.e. document.x).
According to the HTML standard on named element lookup on Document interface, only the following elements can clobber the document.x
.
embed
, form
, iframe
, img
, or exposed object
elements that have a name
content attributeobject
elements that have an id
content attributeimg
elements that have an id
content attribute whose value is name
, and that have a non-emptyname
content attributeUpon running some real-world tests using BrowserStack
, I found that the iframe
HTML element with id=x
attribute cannot clobber the DOM Tree Accessors at least in the following listed versions of Chrome, Firefox, and Edge.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.