Under the radar
It appears to be harmless HTML markup that tells a browser what content looks like on a web page; for example, where a button should go, what text should be in boldface, and what a heading is. But in truth, this may be an attempt by attackers to have a browser execute arbitrary JavaScript code. "Achieving that is like the holy grail of website attacks. From hijacking a social media account to taking over an online bank account, almost anything is possible with this," Khodayari explains.
Arbitrary execution of JavaScript code on the client side, for example in browsers, has been one of the most critical security threats since the early days of the web, according to the researcher. "Traditionally, attackers have achieved this goal by injecting malicious JavaScript code into vulnerable web pages. For example, such attacks, which include cross-site scripting, are well studied, and there are now some security measures against them," Khodayari says. DOM clobbering attacks are not as well studied, but they are just as dangerous. In this type of attack, malicious code is not injected directly, but the back door is used, so to speak: the DOM, which gives the attack its name.
The abbreviation DOM stands for "Document Object Model." This programming interface makes it easier for web developers to edit the various components of a website. The DOM represents HTML documents in a tree structure and ensures that programming languages such as JavaScript can interact with the page and its elements, Khodayari explains. "The problem is that there are name collisions between JavaScript variables and HTML markups. Attackers can exploit this fact and use HTML markups to override JavaScript variables, allowing the browser to perform all sorts of tasks."
Khodayari, who conducts research in the group of CISPA faculty Dr. Giancarlo Pellegrino, was the first to investigate how many markups there are that can be abused in this way and how many websites have corresponding vulnerabilities. "We were surprised by the extent of the problem: Our evaluation shows that the attack surface is vast. In the top 5000 websites, we found around 9500 vulnerable data flows on 491 affected websites, including popular sites such as Fandom, Trello, Vimeo, TripAdvisor, WikiBooks, or GitHub, which are not vulnerable via traditional attack routes."
In total, the researcher analyzed more than 24.6 billion lines of JavaScript code in 18.3 million scripts on 205600 web pages for vulnerable data flows. "To accomplish this, I developed the analysis tool TheThing." To ensure the tool knew what to look for, the CISPA researcher's first step was to dig through research literature and then automatically develop potentially manipulative markup and test how 19 different mobile and desktop browsers handled it. "In the end, we discovered more than 31400 different HTML markups that can unexpectedly overwrite JavaScript variables using various techniques in at least one of the tested browsers. Before our study, only about 500 such markups were known."
But what can be done about DOM clobbering attacks? "There has long been discussion about turning off the mechanism in the browser that allows JavaScript variables to be overwritten by HTML markups in the first place. The problem is that more than 10 percent of all web pages would break as a result. That's been Google's statement for a long time, and it's been confirmed in our research. Worse, we've seen that 10 percent of all web pages affected belong to 50 percent of the top websites. The damage would be immense." Existing security mechanisms, such as a content security policy (CSP) or so-called HTML sanitizers designed to rid HTML markups of insecure elements, are rather incomplete or ineffective against DOM Clobbering.
Does this mean we are defenseless in the face of DOM clobbering? "No. We can do something about it," says Khodayari. "Our tool, TheThing, is available to website owners and developers and can show them where their sites have vulnerabilities. In addition, TheThing helps scientists tremendously to further investigate this area. We have also looked closely at the vulnerable code discovered by our tool, identified common mistakes made by developers, and created a list of secure coding patterns and guidelines for them. We have also submitted a patch to the famous HTML sanitizer, DOMPurify, to enforce strict DOM clobbering protection (through namespace isolation). Another helpful step could be an adaptation of the security mechanism CSP. For this, we are in exchange with the World Wide Web Consortium (W3C). However, there is still work to be done."
A detailed wiki on the attack, the tool TheThing, and an automated browser check are available at: https://domclob.xyz/