soheilkhodayari / domclobbering Goto Github PK
View Code? Open in Web Editor NEWDOM Clobbering Wiki, Browser Testing, and Payload Generation
Home Page: https://domclob.xyz
License: GNU General Public License v3.0
domclobbering's Issues
OWASP Cheat Sheet
Add a link to the OWASP cheat sheet in the main page, which has been created with this PR.
Add GitHub Actions
Check the test server build status via Github actions automatically after each commit.
https mixed content problem for just-the-docs
The just-the-docs theme seem to access the static assets over HTTP by default rather than HTTPS (see here). To avoid this, the url attribute must be set in the configuration file.
[UI] JS syntax highlighting
Problem
The current JS syntax highlighter script is not working properly for some of the code snippets in the markups list page.
Suggested Solution
It would be good to replace it with a more advanced syntax highlighting library, like Monaco.
Syntax Error in UI Script
Issue Description
The snippet for online testing of clobbering markups has a syntax error in line 184 (missing closing bracket).
if (v && (!isNaN(v) || v.toString().indexOf('HTML') > -1 || v.toString().indexOf('Element') > -1
|| v.toString().indexOf('Collection') > -1 || v.toString().indexOf('Window') > -1) {
is_clobbered = true;
}The affected webpage is https://domclob.xyz/domc_markups/list.
iframe tag with id attribute cannot clobber document.x
Here is a correction for the paper as well as the domclob.xyz website about the DOM Clobbering markups. Contrary to previous findings, iframe HTML element with id=x attribute cannot clobber the DOM Tree Accessors (i.e. document.x).
According to the HTML standard on named element lookup on Document interface, only the following elements can clobber the document.x.
- Exposed
embed,form,iframe,img, or exposedobjectelements that have anamecontent attribute - Exposed
objectelements that have anidcontent attribute imgelements that have anidcontent attribute whose value isname, and that have a non-emptynamecontent attribute
Upon running some real-world tests using BrowserStack, I found that the iframe HTML element with id=x attribute cannot clobber the DOM Tree Accessors at least in the following listed versions of Chrome, Firefox, and Edge.
- Chrome: Tested from version 86 to 123
- Firefox: Tested from version 80 to 124
- Edge: Tested from version 80 to 123
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.