Under the radar
Khodayari, who conducts research in the group of CISPA faculty Dr. Giancarlo Pellegrino, was the first to investigate how many markups there are that can be abused in this way and how many websites have corresponding vulnerabilities. "We were surprised by the extent of the problem: Our evaluation shows that the attack surface is vast. In the top 5000 websites, we found around 9500 vulnerable data flows on 491 affected websites, including popular sites such as Fandom, Trello, Vimeo, TripAdvisor, WikiBooks, or GitHub, which are not vulnerable via traditional attack routes."
Does this mean we are defenseless in the face of DOM clobbering? "No. We can do something about it," says Khodayari. "Our tool, TheThing, is available to website owners and developers and can show them where their sites have vulnerabilities. In addition, TheThing helps scientists tremendously to further investigate this area. We have also looked closely at the vulnerable code discovered by our tool, identified common mistakes made by developers, and created a list of secure coding patterns and guidelines for them. We have also submitted a patch to the famous HTML sanitizer, DOMPurify, to enforce strict DOM clobbering protection (through namespace isolation). Another helpful step could be an adaptation of the security mechanism CSP. For this, we are in exchange with the World Wide Web Consortium (W3C). However, there is still work to be done."
A detailed wiki on the attack, the tool TheThing, and an automated browser check are available at: https://domclob.xyz/