HUNT-DOM — DOM Clobbering / PostMessage / Service Worker / CSS Exfil

Crown Jewel Targets

DOM-based attacks execute in the victim's browser — the server often never sees the payload, so WAFs and server-side input filters do not apply. PostMessage missing-origin-check = cross-origin token theft with no XSS needed.

Highest-value chains:

• DOM Clobbering → DOM-XSS / auth bypass — HTML markup injection (no <script>) overwrites a JS global like window.config or shadows document.getElementById, and the app later treats that value as a URL/code → sink fires under a markup-only injection where script is filtered.
• PostMessage no origin check → session theft / DOM-XSS — a message handler that trusts event.data without validating event.origin lets an attacker iframe/opener drive privileged actions or feed a sink.
• Service Worker abuse — register a same-origin SW script (reachable because of an upload / open-redirect / path the target serves) via stored XSS → intercept all in-scope fetch → persistent credential capture.
• CSS Exfil — attribute-value selectors (input[value^="a"]) leak a CSRF token / API key / nonce char-by-char to an OOB host with zero JS.

Grounding — public research this is distilled from

• DOM Clobbering / DOM-Invader — Gareth Heyes & the PortSwigger Web Security Academy "DOM clobbering" topic; DOM-Invader ships a dedicated clobbering scanner. Sink taxonomy maps to the academy's DOM-based vulnerability labs.
• DOMPurify clobbering & mXSS bypasses — Michał Bentkowski (Securitum) blog series on bypassing HTML sanitizers via clobbering and mutation XSS.
• jQuery htmlPrefilter self-closing-tag XSS — CVE-2020-11022 and CVE-2020-11023 (jQuery < 3.5.0). Passing attacker HTML to .html() / .append() mutates into executing markup. Grep bundled jQuery version; this is one of the most common real-world DOM-XSS roots.
• CSS exfiltration — d0nut "CSS Injection Attacks" / "Stealing Data With CSS" research (sequential @import recursion to drop the per-char-position constraint).

Cite only what you reproduce. Do not paste these as "proof" in a report — your PoC against the live target is the evidence. Named research here is for technique provenance, not severity inflation.