dom-clobbering-anti-pattern
Installation
SKILL.md
DOM Clobbering Anti-Pattern
Severity: Medium
Summary
DOM Clobbering overwrites global JavaScript variables via attacker-controlled HTML. Browsers auto-create global variables from id and name attributes. Enables logic bypasses, XSS, and security control evasion. Bypasses HTML sanitizers that allow id and name.
The Anti-Pattern
Application JavaScript relies on global variables that HTML injection overwrites. Code expects legitimate objects but receives DOM element references instead.
BAD Code Example
// VULNERABLE: Using a global variable that can be clobbered.
// Imagine this HTML is injected into the page by an attacker:
// <div id="appConfig"></div>