jackfromeast/dom-clobbering-collection
GitHub: jackfromeast/dom-clobbering-collection
一个系统收集主流前端 JavaScript 库中 DOM Clobbering 利用链和 HTML 注入漏洞的攻防知识库,包含可用载荷、CVE 编号及概念验证环境。
Stars: 48 | Forks: 2
# DOM Clobbering 合集
本仓库维护了一份存在 HTML 注入漏洞或包含可能导致严重问题(如 XSS)的 DOM Clobbering gadgets 的客户端库列表。
本仓库由 [jackfromeast](https://github.com/jackfromeast) 和 [ishmeal](https://github.com/ishmeals) 积极维护。
## 什么是 DOM Clobbering?
_DOM Clobbering_ 是一种针对 Web 的无代码注入攻击,攻击者首先向网页中注入看似无害、无脚本的 HTML 标记。随后,这些注入的标记可能通过 `window` 或 `document` 对象上的命名属性冲突查找被 JavaScript 意外加载,从而可能改变程序执行并导致严重的安全风险,例如跨站脚本攻击 (XSS) 和客户端请求伪造 (CSRF)。
我们也推荐查看以下关于 DOM Clobbering 的优秀网站、论文和博客文章:
+ 介绍:
+ 网站 [DOM Clobbering Wiki](https://domclob.xyz/) 提供了关于攻击技术、漏洞模式和防御措施的全面信息,以及用于浏览器测试和 payload 生成的工具。
+ Huli 的博文“[Can HTML affect JavaScript? Introduction to DOM clobbering](https://aszx87410.github.io/beyond-xss/en/ch3/dom-clobbering/)”解释了 HTML 元素如何通过 DOM Clobbering 影响 JavaScript 的执行。
+ 学术论文:
+ Soheil Khodayari 和 Giancarlo Pellegrino 的论文 [It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses](https://publications.cispa.saarland/3756/1/sp23_domclob.pdf) 对 DOM Clobbering 进行了系统性研究,揭示了各种攻击技术、浏览器行为和易受攻击的代码模式,并评估了现有的防御措施。
+ Zhengyu Liu 等人的论文 [The DOMino Effect: Detecting and Exploiting DOM Clobbering Gadgets via Concolic Execution with Symbolic DOM]() 介绍了一种利用符号 DOM 建模和混合执行进行动态分析的工具,可大规模检测和利用 DOM Clobbering gadgets。
+ 精彩的实际利用案例:
+ Michał Bentkowski 的博文“[XSS in GMail’s AMP4Email via DOM Clobbering](https://research.securitum.com/xss-in-amp4email-dom-clobbering/)”详细介绍了利用 DOM Clobbering 在 Gmail 的 AMP4Email 功能中实现 XSS 的真实案例。
+ Brett Buerhaus 的博文“[Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild](https://buer.haus/2024/02/23/go-go-xss-gadgets-chaining-a-dom-clobbering-exploit-in-the-wild/)”详细介绍了如何将 DOM Clobbering 漏洞串联起来,执行高级 XSS 攻击。
## DOM Clobbering Gadgets
**想尝试这些 gadgets?**
我们提供了一个托管了我们收集中每个 DOM Clobbering gadget 的概念验证 页面的网站。要在本地设置它,[请点击这里](https://github.com/jackfromeast/dom-clobbering-collection/tree/main/domc-gadgets-assets)。
| Library | Stars | Version | Payloads | Impact | Found By | Status | CVE |
|:-------:|:-----:|:-------:|----------|:------:|:--------:|:------:|:---:|
| [Vite](./domc-gadgets/vite.md) | 67.2K | v5.4.5 | ```
``` | XSS | TheHulk | Patched | [CVE-2024-45812](https://nvd.nist.gov/vuln/detail/CVE-2024-45812) |
| [Webpack](./domc-gadgets/webpack.md) | 64.4K | v5.93.0 | `````` | XSS | TheHulk | Patched | [CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986) |
| [Astro](./domc-gadgets/astro.md) | 45.7K | v4.5.9 | `````` | XSS | TheHulk | Fixed | [CVE-2024-47885](https://github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9) |
| [layui](./domc-gadgets/layui.md) | 29.5K | v2.9.16 | `````` | XSS | TheHulk | Patched | [CVE-2024-47075](https://github.com/layui/layui/security/advisories/GHSA-j827-6rgf-9629) |
| [rollup](./domc-gadgets/rollup.md) | 25.2K | v4.21.3 | `````` | XSS | TheHulk | Fixed | [CVE-2024-47068](https://github.com/advisories/GHSA-gcx4-mw62-g8wm) |
| [plausible-analytics](./domc-gadgets/plausible-analytics.md) | 19.7K | v2.1.0 | ```![]()
``` | CSRF | TheHulk | Reported | N/A |
| [plotly.js](./domc-gadgets/plotly.js.md) | 16.9K | v2.35.2 | `````` | CSRF | TheHulk | Reported | N/A |
| [Prism](./domc-gadgets/prism.md) | 12.2K | v1.29.0 | ```
``` | XSS | TheHulk | Reported | [CVE-2024-53382](https://nvd.nist.gov/vuln/detail/CVE-2024-53382) |
| [MathJax](./domc-gadgets/mathjax2.md) | 10.1K | v2.7.x | ``` ``` | XSS | TheHulk | Accepted | N/A |
| [MathJax](./domc-gadgets/mathjax3.md) | 10.1K | v3.2.2 | ``` $$\require{tex}$$``` | XSS | TheHulk | Accepted | N/A |
| [tsup](./domc-gadgets/tsup.md) | 8.9K | v8.3.4 | `````` | XSS | TheHulk | Reported | [CVE-2024-53384](https://nvd.nist.gov/vuln/detail/CVE-2024-53384) |
| [rspack](./domc-gadgets/rspack.md) | 8.6K | v1.0.0-rc.0 | `````` | XSS | TheHulk | Fixed | [CVE-2024-43788](https://nvd.nist.gov/vuln/detail/CVE-2024-43788) |
| [seajs](./domc-gadgets/seajs.md) | 8.3K | v3.0.3 | `````` | XSS | TheHulk | Reported | [CVE-2024-51091](https://nvd.nist.gov/vuln/detail/CVE-2024-51091) |
| [Google Closure](./domc-gadgets/google-closure-library.md) | 4.9K | v20230103 | ```
``` | XSS | TheHulk | Accepted | N/A |
| [pagefind](./domc-gadgets/pagefind.md) | 3.3K | v1.1.0 | ```
``` | XSS | TheHulk | Accepted | [CVE-2024-45389](https://nvd.nist.gov/vuln/detail/CVE-2024-45389) |
| [Mavo](./domc-gadgets/mavo.md) | 2.8K | v0.3.2 | `````` | XSS | TheHulk | Reported | [CVE-2024-53388](https://nvd.nist.gov/vuln/detail/CVE-2024-53388) |
| [cusdis](./domc-gadgets/cusdis.md) | 2.6K | v1.3.0 | ```![]()
``` | XSS | TheHulk | Reported | [CVE-2024-49213](https://nvd.nist.gov/vuln/detail/CVE-2024-49213) |
| [Stage.js](./domc-gadgets/stage.js.md) | 2.4K | 0.8.10 | `````` | XSS | TheHulk | Reported | [CVE-2024-53386](https://nvd.nist.gov/vuln/detail/CVE-2024-53386) |
| [curl](./domc-gadgets/curl.md) | 1.8K | v0.8.13 | ```![]()
![]()
``` | XSS | TheHulk | Reported | [CVE-2024-49212](https://nvd.nist.gov/vuln/detail/CVE-2024-49212) |
| [inspire.js](./domc-gadgets/inspire.js.md) | 1.7K | v1.10 | `````` | XSS | TheHulk | Reported | N/A |
| [steal](./domc-gadgets/steal.md) | 1.4K | v2.3.0 | ```![]()
``` | XSS | TheHulk | Accepted | [CVE-2024-45939](https://nvd.nist.gov/vuln/detail/CVE-2024-45939) |
| [UMeditor](./domc-gadgets/umeditor.md) | 1.4K | v1.2.2 | `````` | XSS | TheHulk | Reported | [CVE-2024-53387](https://nvd.nist.gov/vuln/detail/CVE-2024-53387) |
| [squirt](./domc-gadgets/squirt.md) | 1.2K | v0.0.1 | ```
``` | XSS | TheHulk | Reported | N/A |
| [ckplayer](./domc-gadgets/ckplayer.md) | 1.1K | latest | ```
``` | XSS | TheHulk | Reported | N/A |
| [polyfills](./domc-gadgets/polyfills.md) | 1.1K | v2.8.0 | `````` | XSS | TheHulk | Reported | N/A |
| [doomcaptcha](./domc-gadgets/doomcaptcha.md) | 1K | latest | ```![]()
``` | XSS | TheHulk | Reported | N/A |
| [AddToAny](./domc-gadgets/addtoany.md) | N/A | N/A | ```
``` | XSS | TheHulk | Patched | N/A |
| [Google Client API](./domc-gadgets/google-client-api.md) | N/A | 5BIk7BglYEE | `````` | XSS | TheHulk | Patched | N/A |
## HTML 注入漏洞
以下库接受用户输入并以 `type/html` 格式输出内容,并在不同能力级别保留了特定的命名属性(例如 `id` 或 `name`)。使用这些库可能会使 Web 应用面临 HTML 注入风险。库可能直接将用户输入插入 DOM,或者 Web 应用可能从库中获取用户输入然后将其添加到 DOM 中。
| Library | Stars | Version | Input | Sanitizer | Capability |
|:-------:|:-----:|:-------:|-------|:---------:|-------------------------|
| [mermaid](./html-injection/mermaid.md) | 70.6K | v0.1.4 | Input | DOMPurify | Any named property without collision |
| [tui.editor](./html-injection/tui-editor.md) | 17.1K | v3.2.2 | Type | DOMPurify | Any named property without collision |
| [TinyMCE-v5/6/7](./html-injection/tinymce.md) | 14.9K | v7.3.0 | Copy&Paste | DOMPurify | Any named property without collision |
| [TinyMCE-v4](./html-injection/tinymce4.md) | 14.9K | v4.9.11 | Copy&Paste | N/A | Any named property |
| [editor.md](./html-injection/editor.md.md) | 13.8K | v1.5.0 | Type | N/A | Any named property |
| [simplemde](./html-injection/simplemde.md) | 9.9K | v1.11.2 | Type | N/A | Any named property |
| [vditor](./html-injection/vditor.md) | 8.3K | v3..6 | Type | N/A | Any named property |
| [Froala](./html-injection/froala.md) | 5.3K | v4.2.2 | Copy&Paste | DOMPurify | Any `name` attributes |
| [Zenpen](./html-injection/zenpen.md) | 3.8K | latest | Copy&Paste | N/A | Any named attributes |
| [editor](./html-injection/editor.md) | 2.8K | v0.1.0 | Type | N/A | Any named property |
| [kindeditor](./html-injection/kindeditor.md) | 1.9K | v4.1.12 | Copy&Paste | N/A | Any named property |
| [SunEditor](./html-injection/sun-editor.md) | 1.7K | v2.47.0 | Copy&Paste | N/A | `a` tag with `id` |
| [RichTextEditor](./html-injection/richtexteditor.md) | N/A | Latest | Copy&Paste | N/A | Any named property |
标签:API密钥检测, CMS安全, CSRF, DOM Clobbering, DOM 安全, Gadget, Gadget 集合, HTML注入, JavaScript, meg, RuleLab, Web安全, XSS, 信息安全, 前端安全, 多模态安全, 安全测试, 客户端安全, 攻击向量, 攻击性安全, 数据可视化, 漏洞 Payload, 漏洞分析, 漏洞利用链, 漏洞情报, 网络安全, 自定义脚本, 自定义脚本, 蓝队分析, 跨站脚本攻击, 路径探测, 输入验证, 隐私保护