DOM Clobbering - but with numbers?! [𝕏]
23 Jun 2023Originally posted on X
You know how in browser JS if an attached element has an ID (e.g. "<div id='gal'>") then "window['gal']" returns the element?
Well, it turns out that ID can also be a number (e.g. "<div id='0'>") and that'll still find its way to the window.
Why is this interesting? Because ...
... setting anything that isn't a WindowProxy object to the frames array is impossible - configuration of indexes to Window object is forbidden.
But with this trick, you can find yourself with an item in the frames array that is not a WindowProxy object - but a DOM node instead!
Does this matter for any real use cases? Well, not really.
However, if your project works with the frames array and you assumed the items in the array cannot be anything other than WindowProxy objects - I'd revisit that conclusion 😉
This is exactly what happened in Snow. Furthermore, leveraging this trick could have allowed attackers to bypass Snow completely.
Good to know I guess 🤷 github.com/LavaMoat/snow/pull/111
Well, it turns out that ID can also be a number (e.g. "<div id='0'>") and that'll still find its way to the window.
Why is this interesting? Because ...
... setting anything that isn't a WindowProxy object to the frames array is impossible - configuration of indexes to Window object is forbidden.
But with this trick, you can find yourself with an item in the frames array that is not a WindowProxy object - but a DOM node instead!
Does this matter for any real use cases? Well, not really.
However, if your project works with the frames array and you assumed the items in the array cannot be anything other than WindowProxy objects - I'd revisit that conclusion 😉
This is exactly what happened in Snow. Furthermore, leveraging this trick could have allowed attackers to bypass Snow completely.
Good to know I guess 🤷 github.com/LavaMoat/snow/pull/111