Talk:DOM clobbering

DOM clobbering has been listed as one of the Engineering and technology good articles under the good article criteria. If you can improve it further, please do so. If it no longer meets these criteria, you can reassess it. Review: March 23, 2024. (Reviewed version).

A fact from DOM clobbering appeared on Wikipedia's Main Page in the Did you know column on 13 December 2023 (check views). The text of the entry was as follows: Did you know... that DOM clobbering attacks can take over your website? A record of the entry may be seen at Wikipedia:Recent additions/2023/December. The nomination discussion and review may be seen at Template:Did you know nominations/DOM Clobbering.

Wikipedia

This article is rated GA-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computer Security: Computing Low‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. This article is supported by WikiProject Computing. Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here. Computer science Low‑importance This article is within the scope of WikiProject Computer science, a collaborative effort to improve the coverage of Computer science related articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. Things you can help WikiProject Computer science with: Here are some tasks awaiting attention: Article requests : Requested articles/Applied arts and sciences/Computer science, computing, and Internet Cleanup : Computer science articles needing attention Computer science articles needing expert attention Copyedit : Computing Expand : Computer science Infobox : Computer science articles without infoboxes Maintain : Timeline of computing 2020–present Photo : Find pictures for the biographies of computer scientists (see List of computer scientists) Computing articles needing images Stubs : Computer science stubs Unreferenced : WikiProject Computer science/Unreferenced BLPs Project-related : Tag all relevant articles in Category:Computer science and sub-categories with {{WikiProject Computer science}}

Did you know nomination

Latest comment: 5 months ago4 comments3 people in discussion

The following is an archived discussion of the DYK nomination of the article below. Please do not modify this page. Subsequent comments should be made on the appropriate discussion page (such as this nomination's talk page, the article's talk page or Wikipedia talk:Did you know), unless there is consensus to re-open the discussion at this page. No further edits should be made to this page.

The result was: promoted by Bruxton talk 22:25, 5 December 2023 (UTC)Reply

(

• Comment or view
• Article history

)

• ... that DOM clobbering attacks can take over your website? Source: https://ieeexplore.ieee.org/document/10179403
  • ALT1: ... that DOM clobbering attacks can execute arbitrary code on your website? Source: https://ieeexplore.ieee.org/document/10179403
  • ALT2: ... that DOM clobbering attacks can turn benign HTML code into arbitrary code execution? Source: https://ieeexplore.ieee.org/document/10179403
  • Reviewed: Template:Did you know nominations/NYT_first_said
  • Comment: A free version of the cited paper is available at https://publications.cispa.saarland/3756/1/sp23_domclob.pdf (from the authors themselves) in case the IEEE links are inaccessible.

5x expanded by Sohom Datta (talk). Self-nominated at 20:01, 9 November 2023 (UTC). Post-promotion hook changes for this nom will be logged at Template talk:Did you know nominations/DOM Clobbering; consider watching this nomination, if it is successful, until the hook appears on the Main Page.Reply

  Doing... Clyde _{[trout needed]} 19:47, 11 November 2023 (UTC)Reply

General: Article is new enough and long enough
New enough:   Long enough:

Policy: Article is sourced, neutral, and free of copyright problems
Adequate sourcing:   Neutral:   Free of copyright violations, plagiarism, and close paraphrasing:

Hook: Hook has been verified by provided inline citation
Cited:   Interesting:

QPQ: Done.

Overall:   Sohom Datta, good work. I'd say ALT0 is the most "hooky", but all are fine. Clyde _{[trout needed]} 19:56, 11 November 2023 (UTC)Reply

Comments from Maury Markowitz

Latest comment: 4 months ago4 comments2 people in discussion

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

@Sohom Datta: This is not a full review, but I have some comments for things that I think need to be addressed:

• in the Vulnerability section, there is no explanation of how this attack works. It does describe how it is set up, by inserting HTML with the same name as a variable. But it is entirely unexplained how one might inject the HTML to do this, nor how this assignment might be used.
• the Threat model section states that it "depends on the attacker being able to inject potentially benign HTML into a website", but again, fails to mention how this might happen. It also says it is similar to another attack, but the description of that appears to be "getting user to click on an URL", and I'm not sure exactly how this paper is directly related to this topic.
• I would suggest that History be the first sub-section, as it introduces a number of terms and gives some specific examples.

Maury Markowitz (talk) 17:07, 4 December 2023 (UTC)Reply

@Maury Markowitz I have tried to address your concerns

• I've added some context as to how this attack uses the assignment of the variable to influence code execution.
• I've added a example section to give a small example of how the attack might look like
• I've updated the threat model to explain how a attack could inject markup into the page, I don't think it is compared to another attack, we just say that the 'threat model' being considered for this attack is similar to that which would be expected in a classical 'web attacker threat model'
• The paper (Towards a Formal Foundation of Web Security) was one of the first papers to formally define what a 'web attacker threat model' actually is. (which is why it is cited right after the discussion regarding the model). The JSAgents/DOMPurify paper references the model, but does not delve into what it actually is (AFAIR)
• I've moved the History section to the top.

Let me know if you have any other concerns. Sohom (talk) 19:37, 4 December 2023 (UTC)Reply

@Maury Markowitz (Friendly re-ping) Let me know if there are any other things that I should address :)

Also, just a heads up, I might have some reduced availiability next week for personal reasons :) Sohom (talk) 19:31, 6 December 2023 (UTC)Reply

@Sohom Datta: Excellent update, my issues have been resolved! Maury Markowitz (talk) 17:33, 18 December 2023 (UTC)Reply

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

GA Review

Latest comment: 1 month ago8 comments3 people in discussion

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

GA toolbox
Copyvio detector Authorship External links
Reviewing
Templates Criteria Instructions

This review is transcluded from Talk:DOM clobbering/GA1. The edit link for this section can be used to add comments to the review.

Reviewer: Elli (talk · contribs) 21:18, 19 February 2024 (UTC)Reply

Claiming this review. Will go through the article in the next few days. Elli (talk | contribs) 21:18, 19 February 2024 (UTC)Reply

@Elli are you going to work on this? RoySmith (talk) 16:57, 4 March 2024 (UTC)Reply

Sorry, just been caught up with a lot of stuff the past few weeks and haven't gotten the chance to sit down for an in-depth review. I am still planning to do this soon. Elli (talk | contribs) 17:31, 4 March 2024 (UTC)Reply

History

• In 2015, Heiderich et al. proposed a design for a library called JSAgents, (later DOMPurify) that would be effective at sanitizing markup injection attacks such as those related to cross-site scripting and DOM clobbering. do you have secondary sources for this?

I've added another source :)

• Third paragraph relies mainly on primary sources and a corporate blog post; is there anything better that could be used here?

The blog post is a guest post by Gareth Heyes, who is a subject matter expert and PortSwigger is a fairly well-known (in the field) web-security-research-oriented company that regularly features posts from experts on their blog. I personally would consider that source to be fairly reliable.

I'll try to see if I can get any reporting on the rest, however, this might be a bit difficult since such proposals rarely make it into traditional RS

• In general, this section might belong below the "Vulnerability" section? The content here (especially in the first paragraph) doesn't make a lot of sense if you don't understand what the vulnerability is.

Done :)

@Sohom Datta: I am very sorry for the delay in starting this review. I'll get to the other sections soon. Elli (talk | contribs) 19:16, 4 March 2024 (UTC)Reply

No issues, feel free to take your time :) Sohom (talk) 15:12, 5 March 2024 (UTC)Reply

Vulnerability

• Looks good, though could you point out the particular pages of "Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets" that verify the relevant content?

  Done

Example

• Specifying the page here would also be good.

  Done

Threat model

• The threat model for a DOM clobbering attack is similar to that of the web attacker model proposed by Akhawe et al. in 2010. that model hasn't been explained and isn't linked here.

The next sentence goes into the highlights of the model that are relevant to the article. Describing the whole model wouldn't be relevant to the page and I don't think we have a article for this specific model. (Hopefully once we have better coverage of this subject area, we should be able to tease out a article for it)

Defenses

• While the optimal defence against DOM clobbering would be to turn off access to named DOM elements, this is currently not feasible due to the significant active usage of these features as per Chrome telemetry data in 2021. not sure that a comment on GitHub is sufficient to establish this.

Added cite

• Maybe expand this section a bit more in general? Proper sanitation would completely mitigate this, right? (Even if no libraries exist to do so.) snyk at least indicates that using proper scoping can help and is an easy mitigation; that probably should be mentioned.

Snyk is being a bit optimistic here. However, there does seem to be some scope for expansion.

Lead

• This can lead to a skilled attacker being able to perform a variety of unwanted behaviours I'd change the wording here to be a bit clearer, such as This enables a skilled attacker to perform a variety of unwanted behaviours -- more concise.

  Done

• recent efforts to mitigate it completely have been unsuccessful due to a significant amount of usage of the underlying features across the web as of 2021 again I'd want a better cite in the body for this than a comment on GitHub.

Ditto

Overall

• This article is in pretty decent shape. Would suggest adding more specific pagenumbers to the sources (such as with {{rp}} or similar) to make verification easier. (If you do not want to do that, I would appreciate you providing the locations to me at least for easier verification.)

  Done

@Sohom Datta: I've finished the initial review. I am so sorry for the long delay in getting to all of this. Elli (talk | contribs) 20:04, 9 March 2024 (UTC)Reply

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.