pwneglyph logo

Note

web javascript dom-clobbering xss named-properties configuration

Inject named elements so JS reads attacker-controlled config or callbacks from document/form named properties.

DOM Clobbering to Hijack a Data Source or Callback

Some DOM collections and named elements are exposed as properties on document or forms. Injected HTML can therefore replace what JS thinks is a configuration object or callback source.

Why It Works

  • Legacy named-property access (document.forms.<name>, ID/name lookups) returns the element you injected instead of the expected trusted object.

Vulnerable Pattern

  • Legacy DOM property access by name, document.forms.<name>, element ID/name lookups, or code reading data attributes from a clobberable element reference.

Exploit Flow

  1. Find which named property or node the page expects to exist.
  2. Inject an element with matching id/name and attacker-controlled data-* attributes or children.
  3. Let page logic consume the clobbered element as trusted configuration.

Variations

  • Clobber forms, iframes, anchors, images, or arrays of named items depending on the lookup semantics.

Common Blockers

  • Modern code using querySelector on trusted roots, or explicit instanceof checks before use.

PoC Sketch

<form name="directory" data-source="/evil" data-callback="alert"></form>

Good Situations To Use It

  • The page reads config/callbacks via named DOM lookups.
  • You can inject markup with chosen id/name.
  • No instanceof/trusted-root guard exists.

Sources

  • labossi_2026/web/trusted_support