Home

Welcome to the TheHulk wiki!

Abstract

DOM Clobbering is a prevelent and sereve type of code-reuse attack on the web. The attack usually carried out by three steps: 1/ HTML injection, where attackers inject script-less HTML markups into a webpage; 2/ clobbering named property access, where these injected markups are accessed by JavaScript through named property lookups in the exisitng code snippets (called gadgets); 3/ leading the program to malicious consequences, where the well-crafted markups alter the program logic to achieve outcomes such as Cross-site Scripting and client-side Request Forgery. While previous work has systematically studied the triggering of these gadgets—specifically, how different HTML markups can clobber named property lookups in programs across various browsers—the end-to-end exploitability of DOM Clobbering in real-world scenarios remains less explored. Two critical gaps remain: 1/ understanding the attack techniques and prevalence of HTML markup injection in the modern web, and 2/ effectively constructing payloads that follow or manipulate the logic of these gadgets to lead to dangerous consequences.

In this paper, we aim to complete the picture of the DOM Clobbering attack on the modern web platform. First, we conduct a comprehensive study of HTML injection attacks for DOM Clobbering, examining attack techniques, vulnerable code patterns, and prevalence. Our findings include [insert numbers here]. Next, we design and implement a novel DOM Clobbering gadget detection system, named TheHulk, which detects and generates payloads that lead to sinks via concolic execution by setting injected DOM nodes as symbols. Our evaluation on the Tranco top 5K sites uncovered XXX exploitable DOM Clobbering gadgets, including those in widely-used client-side libraries such as the gapi client from Google and MathJax2. We also provide the first collection of DOM Clobbering gadgets in widely-used client-side libraries, available at [insert URL here]. Our research has resulted in XXX CVE numbers assigned to widely-used web applications, including JupyterLab and Hackmd.io, for end-to-end exploitation of DOM Clobbering that leads to XSS.

rewrite

• DOM Clobbering is a type of code-reuse attack on the web, where attackers inject script-less HTML markups to exploit existing code snippets (gadgets) within the webpage, altering its logic to achieve malicious outcomes such as Cross-site Scripting and Client-side Request Forgery.
• While previous work have systematically studied the triggering of these gadgets, there are two flaws. 1: It makes the assumption that any HTML markup injection can be inserted before the evaluation of these gadgets. 2: Weak dynamic analysis and lack of an automated exploitation system.