The DOMino Effect: Detecting and Exploiting DOM Clobbering Gadgets via Concolic Execution with Symbolic DOM

DOM Clobbering is a type of code-reuse attack on the web that exploits naming collisions between DOM elements and JavaScript variables for malicious consequences such as Cross-site Scripting (XSS). An important step of DOM clobbering is the usage of "gadgets", which are code snippets in existing JavaScript libraries that allow attacker-injected, scriptless HTML markups to flow to sinks. To the best of our knowledge, there is only one prior work on detecting DOM clobbering gadgets. However, it adopts a set of predefined HTML payloads, which fail to discover DOM clobbering gadgets with complex constraints that have never been seen before.

In this paper, we present Hulk, the first dynamic analysis framework to automatically detect and exploit DOM Clobbering gadgets. Our key insight is to model attacker-controlled HTML markups as Symbolic DOM—a formalized representation to define and solve DOM-related constraints within the gadgets—so that it can be used to generate exploit HTML markups. Our evaluation of Hulk against Tranco Top 5,000 sites discovered 497 exploitable DOM Clobbering gadgets that were not, and cannot be, identified by prior work. Examples of our findings include popular client-side libraries, such as Webpack and the Google API client library, both of which have acknowledged and patched the vulnerability. We further evaluate the impact of our newly-found, zero-day gadgets through successful end-to-end exploitation against widely-used web applications, including Jupyter Notebook/JupyterLab and Canvas LMS, with 19 CVE identifiers being assigned so far.