DOM Clobbering is a technique where HTML elements with specific id or name attributes can overwrite global JavaScript variables or DOM properties. This happens because browsers automatically create global references to elements with IDs, which can conflict with expected JavaScript objects.
When an HTML element has an id attribute, browsers create a global variable with that name pointing to the element. If JavaScript code expects a certain global variable or property to exist, an attacker can inject HTML that "clobbers" (overwrites) that variable with an HTML element.
Clobbering a security check:
// Expected behavior: config.isAdmin should be undefined or false
if (config && config.isAdmin) {
showAdminPanel();
}
// Attacker injects:
<form id="config"><input id="isAdmin" value="1"></form>
// Now config.isAdmin returns the input element (truthy)window.name, document.bodyconst/let instead of relying on global variablestypeof of objects before use