Mitigating DOM clobbering attacks in JavaScript

Written by:
Keshav Malik
wordpress-sync/feature-screenshot-mockup

August 7, 2023

0 mins read

The Document Object Model (DOM) acts as an interface between HTML and JavaScript, bridging the gap between static content and dynamic interactivity. This function makes the DOM indispensable for modern web developers.

However, the DOM has a pitfall — DOM clobbering. DOM clobbering occurs when HTML elements conflict with global JavaScript variables or functions, which can lead to unexpected behavior and a potential security loophole in your web application.

Addressing the issue requires diligent programming practices, substantive knowledge of JavaScript, and a firm grasp of web application security. This article explores the concept of DOM clobbering and provides strategies for building more secure and robust web applications.

How DOM clobbering occurs

Every HTML element can have a unique ID or name attribute for easy reference to specific elements in JavaScript. For example, the following HTML button has an ID attribute with the value "myButton":

<button id="myButton">Click Me!</button>

We can use this ID in our JavaScript code to manipulate the button by, for example, changing its text when clicked:

1document.getElementById('myButton').onclick = function() {
2    this.textContent = 'Clicked!';
3};

The DOM facilitates this interaction between HTML and JavaScript. But what happens if the HTML element’s ID or name attribute conflicts with a global JavaScript variable or function?

When a browser loads an HTML page, it automatically creates global JavaScript variables for every ID and name attribute in the HTML DOM. If we have an HTML element named "myButton", the browser makes a global JavaScript variable, myButton, referencing that HTML element.

Now, let’s consider a scenario in which we’ve declared a JavaScript function named myButton:

1function myButton() {
2    // some code
3}

But we also have an HTML element with the ID or name "myButton". When the page loads, the browser’s automatic process overwrites the JavaScript function myButton with reference to the HTML element:

1<button id="myButton">Click Me!</button>
2
3console.log(myButton); // This will log the HTML button element, not the function

This process is DOM clobbering, which may cause unpredictable behavior and security vulnerabilities. If an attacker can control the attributes, they may be able to inject malicious code into the webpage, leading to security issues like cross-site scripting (XSS).

To illustrate, consider the following scenario:

1Enter your name: <input id="username" type="text">
2<button onclick="greet()">Greet</button>
3
4function greet() {
5    var username = document.getElementById('username').value;
6    alert(`Hello ${username}`);
7}

An attacker could type something like <img id='alert' src=x onerror='alert(1)'>, creating a new HTML component with an 'id' of 'alert'. This component replaces — or clobbers — the normal alert function in JavaScript. The next time the website tries to use this function, it won’t work properly and could even run malicious code.

Identifying DOM clobbering vulnerabilities

Consider a basic web application with a user feedback form. Users input their name and a feedback message, then submit it. The page displays the feedback:

HTML:

1<h2>Feedback Form</h2>
2<form>
3  <label for="name">Name:</label><br>
4  <input type="text" id="name" name="name"><br>
5  <label for="feedback">Feedback:</label><br>
6  <textarea id="feedback" name="feedback"></textarea><br>
7  <input type="submit" value="Submit">
8</form>
9
10<div id="feedbackDisplay"></div>

JavaScript:

1document.querySelector('form').onsubmit = function(event) {
2    event.preventDefault();
3
4    let name = document.getElementById('name').value;
5    let feedback = document.getElementById('feedback').value;
6
7    let feedbackElement = document.getElementById('feedbackDisplay');
8
9    feedbackElement.innerHTML = `<p><b>${name}</b>: ${feedback}</p>`;
10};

This code takes the user’s name and feedback and displays it in a paragraph element within the feedbackDisplay div.

An attacker could exploit this code by submitting HTML in the feedback form. For example, if they entered the following code in the name field and submitted the form, the feedback display area would be replaced by the script tag:

1<script id="feedbackDisplay">window.location.href='http://maliciouswebsite.com';</script>

When the form attempts to display the next piece of feedback, it would instead execute the script, redirecting the user to a malicious website.

This scenario creates a vulnerability because the application takes user-provided input to create HTML, generating a script tag with the same ID as an existing element. This is an example of DOM clobbering with serious consequences — the attacker can gain control of the user’s browser, which enables them to steal sensitive data or install malware.

Secure coding practices to prevent DOM clobbering

With a deeper understanding of these vulnerabilities, we can move on to some best practices that mitigate the risk of DOM clobbering.

Properly scope variables and functions

One of the most common causes of DOM clobbering is misusing global scope in JavaScript. By defining variables and functions within a specific scope, we can restrict overwriting to that scope or any nested scopes and minimize potential conflicts. 

Let’s apply JavaScript’s scoping rules and refactor the previous example to show how this can be done:

1(function() {
2    // All variables and functions are now in this function's scope
3    const form = document.querySelector('form');
4    const feedbackElement = document.getElementById('feedbackDisplay');
5
6    form.onsubmit = function(event) {
7        event.preventDefault();
8
9        const name = document.getElementById('name').value;
10        const feedback = document.getElementById('feedback').value;
11
12        // Sanitize user input
13        name = DOMPurify.sanitize(name);
14        feedback = DOMPurify.sanitize(feedback);
15
16        const newFeedback = document.createElement('p');
17        newFeedback.textContent = `${name}: ${feedback}`;
18        feedbackElement.appendChild(newFeedback);
19    };
20})();

Note: We’ve used DOMPurify to sanitize the HTML in the above code block. You can install it in Node.js with npm install dompurify. Include it in your HTML with <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.3.3/purify.min.js"></script>.

In this version of the code, we’ve enclosed everything inside an Immediately Invoked Function Expression (IIFE), which creates a new scope. The form and feedbackElement variables and the function assigned to the onsubmit event handler are not in the global scope, so they can’t be clobbered.

Use unique identifiers

Ensuring every element on our webpage has a unique ID reduces the risk of inadvertently overwriting an important function or variable. Also, avoid using common names or names that might conflict with global JavaScript objects or functions.

Avoid global namespace pollution

Keeping the global namespace clean is a vital aspect of writing secure JavaScript. The more variables and functions in the global scope, the greater the risk of DOM clobbering. Use JavaScript’s function scope or ES6’s block scope to keep your variables and functions contained. Here’s an example using the latter:

1    // All variables and functions are now in this block's scope
2    let form = document.querySelector('form');
3    let feedbackElement = document.getElementById('feedbackDisplay');
4
5    form.onsubmit = function(event) {
6        event.preventDefault();
7
8        let name = document.getElementById('name').value;
9        let feedback = document.getElementById('feedback').value;
10
11        // Sanitize user input
12        name = DOMPurify.sanitize(name);
13        feedback = DOMPurify.sanitize(feedback);
14
15        let newFeedback = document.createElement('p');
16        newFeedback.textContent = `${name}: ${feedback}`;
17        feedbackElement.appendChild(newFeedback);
18    };

In this code, we used a block (defined by the {}) to create a new scope. All variables and functions are now confined to this block and are not in the global scope.

Note: The code examples in this guide are simplified for demo purposes and not intended for use in a production website or app.

Using JavaScript features to mitigate DOM clobbering

Modern JavaScript provides several features that help minimize the risk of DOM clobbering. In particular, the let and const keywords introduced in ES6 offer more control over declaring variables.

Traditionally, we’ve declared JavaScript variables using the var keyword. However, var has a few quirks, one of which is that it doesn’t have block scope — only function scope and global scopes. This means a variable declared with var can be accessed and overwritten outside the block where we declared it.

On the other hand, let and const both have block scope, meaning they’re only accessible within the block in which they were declared. This characteristic often makes them a better choice for variable declaration, as it limits the possibility of overwritten variables.

We can also use const to declare constants — values we can’t change after assigning them. They represent another useful tool for preventing unintended changes to important variables.

Let’s look at how to implement these features in our feedback form code to prevent DOM clobbering:

1    const form = document.querySelector('form');
2    const feedbackElement = document.getElementById('feedbackDisplay');
3
4    form.onsubmit = function(event) {
5        event.preventDefault();
6
7        const name = document.getElementById('name').value;
8        const feedback = document.getElementById('feedback').value;
9
10        // Sanitize user input
11        name = DOMPurify.sanitize(name);
12        feedback = DOMPurify.sanitize(feedback);
13
14        const newFeedback = document.createElement('p');
15        newFeedback.textContent = `${name}: ${feedback}`;
16        feedbackElement.appendChild(newFeedback);
17    };

In this code, we replaced all uses of var with const. We confined all variables to the block in which we declared them, and the constants cannot be overwritten.

Remember that using let and const does not eliminate the risk of DOM clobbering, but the practice remains a critical aspect of secure coding. Understanding and implementing these JavaScript features can make your web applications more secure.

Monitoring and detecting DOM clobbering vulnerabilities

Secure coding practices can help prevent DOM clobbering, but detecting vulnerabilities when they arise is equally critical. Let’s look at some tools and techniques that can help.

Static code analysis

Static application security testing (SAST) tools like Snyk Code can effectively detect potential security vulnerabilities, including DOM clobbering. These tools analyze your source code without executing it, identifying patterns that could lead to security issues. Snyk’s comprehensive JavaScript coverage makes it an excellent choice for web developers.

Browser developer tools

Browser developer tools, such as those available in Chrome or Firefox, can be powerful allies in detecting DOM-clobbering vulnerabilities. 

Let’s walk through a brief example of how to use these tools to identify a potential issue:

  1. On your webpage, right-click anywhere and select Inspect to open developer tools. You can also use Ctrl+Shift+I on Windows or Cmd+Option+I on macOS.

  2. Navigate to the Console tab, where JavaScript errors or logs are displayed.

  3. Type “window” into the console and press Enter to examine the global scope with all global variables and functions. Check for any variables that seem out of place, especially those with the same name as your HTML element IDs or names.

  4. Using the Elements tab, edit the HTML of the page to manipulate the DOM and test for potential vulnerabilities. For example, add an element with an ID that matches a global variable or function to see if it gets overwritten.

Conclusion

This article has explained how DOM clobbering happens, its associated dangers, and how to guard against it. Implementing proper variable scoping, using unique identifiers, and correctly selecting JavaScript’s let and const features are crucial for mitigating this vulnerability. 

Maintaining code security requires balancing prevention and detection efforts. Using recommended coding practices, browser developer tools, and a SAST solution like Snyk can help pinpoint existing and potential issues. 

By incorporating these techniques into your JavaScript applications and staying updated on web application security trends, you can remain proactive in securing your coding practices.

Posted in:Code Security

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon