← vuln-lab catalog

DOM Clobbering

The app trusts window.CONFIG.url as its configuration. But named DOM elements (id/name) leak onto window, so injected markup with id="CONFIG" silently overrides that global — no JavaScript execution required.

(config not loaded yet)

Trigger: inject <a id=CONFIG><a id=CONFIG name=url href=//evil>window.CONFIG.url becomes attacker-controlled.

Detected by: browser_cdp_dom_clobbering_detect