Bypassing CSP via DOM clobbering

You might have found HTML injection, but unfortunately identified that the site is protected with CSP. All is not lost, it might be possible to bypass CSP using DOM clobbering, which you can now detect using DOM Invader! In this post we’ll show you how.

We’ve based the test case on a bug bounty site, so you’re likely to encounter similar code in the wild. If you’re unfamiliar with DOM clobbering then head over to our Academy to learn about this attack class and solve the labs.

Image

Image alternative text

Federation

Status:

On | Off

Instances:

/m/appsec@infosec.pub

Threads (27)

Microblog (0)

All Content

People

Magazines

Collections

Thread

N7x

@N7x@infosec.pub

Added: 10 months ago
Online: -
Ratio: 0

Magazine

appsec

@appsec@infosec.pub

A community for all things related to application security.

Created: 10 months ago
Owner: ernest
Subscribers: 4
Online: -

Moderators

ernest

Software Security Seminar in Stockholm TOMORROW 17.4...

1 month ago to infosec

Thanks Stockholm. The breakfast seminar on #swsec was good. Next up is OSLO tomorrow morning (THURSDAY). If you are in Norway, please come join me!...

1 month ago to infosec

My 12-yr-old figured out how to bypass the parental controls on #DisneyPlus....

11 days ago to DisneyPlus

Imagine in 2024 organizations think you can defend against sql injection attacks (via a password) by banning certain characters and keywords....

4 months ago to infosec

Add comment