TheThing
Website | Docs | Quick Start | DOM Clobbering
A static-dynamic security analysis tool for DOM clobbering vulnerabilities based on JAW-v1 and Iroh. TheThing can be used for analyzing the client-side of web applications.
Note: The source code of TheThing has been merged with JAW, resulting in JAW-v2. Accordingly, this repository now uses JAW-v2 as a git submodule.
This project is available as open source under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE V3.0
. See LICENSE for more information.
TheThing has a website available at https://soheilkhodayari.github.io/DOMClobbering.
- DOM Clobbering
- Overview of TheThing
- Installation
- Running
- Further Documentation
- Contribution and Code of Conduct
- Academic Publication
DOM Clobbering is an attack technique where the attacker achieves arbitrary client-side code execution by injecting a non-script HTML markup into a vulnerable webpage and transform the initially secure markup into executable code.
DOM Clobbering originates from a naming collision between JavaScript variables and named HTML markups, where attackers confuse the web application by injecting HTML elements whose id
or name
attribute matches the name of security-sensitive variables, such as variables used for fetching remote content (e.g., script src
).
For more information, See here.
TheThing comprises three building block components:
- Web Crawler: given a single seed URL of a webapp under test, collects its webpages' resources (e.g., scripts).
- Static Analyzer: detects DOM Clobbering sources and sinks and potential data flows among them.
- Dynamic Analyzer: checks the clobberability of the identified sources, and the data flows.
The architecture of the TheThing is shown below.
The source code of TheThing has been merged with JAW, resulting in JAW-v2. As such, this repository now uses JAW-v2 as a git submodule.
To clone TheThing and its submodule JAW-v2.x
, you can do:
$ git clone --recurse-submodules https://github.com/SoheilKhodayari/TheThing
Alternatively, do:
$ git clone https://github.com/SoheilKhodayari/TheThing
$ cd TheThing
$ git clone https://github.com/SoheilKhodayari/JAW --branch v2.0.4
Then, copy the JAW's content into the root directory:
$ cp -rf ./JAW/* ./
Finally, get the necessary dependencies via:
$ ./install.sh
This will install the required npm
and python
libraries, and the chromium
driver.
Note: You can also download the pre-packaged code from the releases section or the stable branch.
You can run an instance of the pipeline in a background screen via:
$ screen -dmS s1 bash -c 'python3 -m run_domclobbering --conf=config.domclobbering.yaml; exec sh'
The CLI provides the following options:
$ python3 -m run_domclobbering -h
usage: run_domclobbering.py [-h] [--conf FILE] [--site SITE] [--list LIST] [--from FROM] [--to TO]
This script runs the tool pipeline.
optional arguments:
-h, --help show this help message and exit
--conf FILE, -C FILE pipeline configuration file. (default: config.domclobbering.yaml)
--site SITE, -S SITE website to test; overrides config file (default: None)
--list LIST, -L LIST site list to test; overrides config file (default: None)
--from FROM, -F FROM the first entry to consider when a site list is provided; overrides config file (default: -1)
--to TO, -T TO the last entry to consider when a site list is provided; overrides config file (default: -1)
Configuration: TheThing expects a .yaml
config file as input. See config.domclobbering.yaml for an example.
Running Building Blocks: For documentation on how to run each building block of the tool individually, see here.
For any questions, suggestions, feedback or concerns, please raise an issue in the repository.
Bug reports and pull requests are more than welcomed on GitHub. For more information, please refer to contribution guidelines.
This project is intended to be a safe, welcoming space, and contributors are expected to adhere to the contributor code of conduct.
Please refer to the complete documentation in docs.
If you use the TheThing for academic research, we encourage you to cite the following paper:
@inproceedings {SKhodayariSP23TheThing,
author = {Soheil Khodayari and Giancarlo Pellegrino},
title = {It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses,
booktitle = {To Appear at proceedings of the 44th IEEE Symposium on Security and Privacy},
year = {2023},
}