The DOMino Effect: Automated Detection and Exploitation of DOM Clobbering Vulnerability at Scale

Presented at DEF CON 33 (2025), Aug. 9, 2025, 11 a.m. (45 minutes).

DOM Clobbering is a type of code-reuse attack on the web that exploits naming collisions between DOM elements and JavaScript variables for malicious consequences, such as Cross-site Scripting. In this talk, we present a novel systematization of DOM Clobbering exploitation in four stages, integrating existing techniques while introducing new clobbering primitives. Based on this foundation, we introduce Hulk, the first dynamic analysis tool to automatically detect DOM Clobbering gadgets and generate working exploits end-to-end. Our evaluation revealed an alarming prevalence of DOM Clobbering vulnerabilities across the web ecosystem. We discovered 497 zero-day DOM Clobbering gadgets in the Tranco Top 5,000 sites, affecting popular client-side libraries, including Google Client API, Webpack, Vite, Rollup, and Astro—all of which have since acknowledged and patched the issue. To complete our exploitation chain, we further study its trigger---HTML Injection vulnerability. Our systematic analysis of HTML Injection uncovered over 200 websites vulnerable to HTML injection. By combining them with our discovered gadgets, we demonstrated complete attack chains in popular applications like Jupyter Notebook/JupyterLab, HackMD.io, and Canvas LMS. This research has resulted in 19 CVE identifiers being assigned to date.

Presenters:

• Zhengyu Liu
  Zhengyu Liu is a Ph.D. student in Computer Science at Johns Hopkins University, advised by Prof. Yinzhi Cao. His research focuses on Web Security, with an emphasis on systematic vulnerability study through automated program analysis techniques, including static/dynamic analysis, and LLM-integrated approaches. His first-author work has been published in top-tier venues such as IEEE S&P 2024 and USENIX Security 2025, and has received the Best Student Paper Award at ICICS 2022. His research has led to the discovery of many zero-day vulnerabilities in widely used software such as Azure CLI, Google Client API Library, and Jupyter Notebook/JupyterLab, resulting in over 30 CVEs in popular open-source projects (>1K Stars in Github) and acknowledgments from Microsoft, Google, Meta, and Ant Group.
• Jianjia Yu
  Jianjia Yu is a PhD student at Johns Hopkins University. Her research focuses on the security and privacy of web and mobile applications, using program analysis. She received a Distinguished Paper Award at CCS 2023 for her work on browser extension vulnerabilities.

Similar Presentations:

• Black Hat USA 2015 / Dom Flow - Untangling the DOM for More Easy-Juicy Bugs
• Black Hat Asia 2014 / Ultimate Dom Based XSS Detection Scanner on Cloud
• Black Hat USA 2010 / Hacking Browser's DOM - Exploiting Ajax and RIA