DOM clobbering
Slap yourself if
You think XSS only happens through <script> tags or string concatenation.
Why this exists
DOM clobbering exists because browsers historically exposed named DOM elements as properties on global objects and forms. That legacy behavior still leaks into modern apps, creating an attack surface most engineers don’t even realize they’re using.
Mental model
The DOM is not just a tree — it’s also a name-resolution system that can silently override your variables, globals, and object properties if you let user-controlled markup define identifiers.
- Elements with certain attributes (id, name) get reflected as properties on global objects like window or document.
- Those properties can shadow or overwrite variables your code assumes are plain objects or functions.
- The browser resolves identifiers dynamically at runtime, not lexically like JavaScript variables.
- An attacker doesn’t need script execution — markup alone can change program behavior.
- Assuming window.config or document.forms.login is immutable.
- Using implicit globals instead of lexical bindings.
- Trusting DOM-based lookups that depend on element names.
- Security reviews that only scan for script injection.
DOM clobbering is a class of DOM-based vulnerabilities where attacker-controlled HTML elements override or shadow JavaScript variables or properties via legacy name resolution, causing logic corruption without executing injected scripts.
- Accessing globals via window.someName
- Relying on document.formName or document.elementId
- Code that works only because of implicit DOM globals
- Security assumptions based solely on CSP
Deep dive
Premium deep dives include more internals, more scars.