Vigyata.AI
Is this your channel?

DEF CON 33 - AutoDetection & Exploitation of DOM Clobbering Vuln at Scale - Zhengyu Liu, Jianjia Yu

888 views· 26 likes· 37:43· Oct 10, 2025

DOM Clobbering is a type of code-reuse attack on the web that exploits naming collisions between DOM elements and JavaScript variables for malicious consequences, such as Cross-site Scripting. In this talk, we present a novel systematization of DOM Clobbering exploitation in four stages, integrating existing techniques while introducing new clobbering primitives. Based on this foundation, we introduce Hulk, the first dynamic analysis tool to automatically detect DOM Clobbering gadgets and generate working exploits end-to-end. Our evaluation revealed an alarming prevalence of DOM Clobbering vulnerabilities across the web ecosystem. We discovered 497 zero-day DOM Clobbering gadgets in the Tranco Top 5,000 sites, affecting popular client-side libraries, including Google Client API, Webpack, Vite, Rollup, and Astro—all of which have since acknowledged and patched the issue. To complete our exploitation chain, we further study its trigger---HTML Injection vulnerability. Our systematic analysis of HTML Injection uncovered over 200 websites vulnerable to HTML injection. By combining them with our discovered gadgets, we demonstrated complete attack chains in popular applications like Jupyter Notebook/JupyterLab, HackMD.io, and Canvas LMS. This research has resulted in 19 CVE identifiers being assigned to date.

🎬 More from DEFCONConference