Re: CSP and web analytics

The trick is rather common among pentesters - but I am not sure about any
public documentation. It works particularly well too if a website for
instance allows user generated HTML containing class attributes - and one of
the injected classes is being used for special purposes by the attacked
website's client side business logic. I've seen this work in many real life
web apps.


On Thu, Jun 9, 2011 at 7:07 PM, Bil Corry <> wrote:

> gaz Heyes wrote on 6/8/2011 12:53 PM:
>> On 8 June 2011 20:38, John Wilander <
>> <>> wrote:
>> I actually started thinking about whitelisted script element ids to
>> augment CSP statements and allow for e.g. inline analytics blocks.
>> But then I ran into what we'd like to call "DOM Identity Theft" since
>> browsers are specified to return the /first/ element with the given
>> id when getElementById() is called. Is the technique already known?
>> Under a different name?.
>> Glad to see you're on the same page ;) Yeah there is another name,
>> DOM Clobbering, I'd don't mind what name is given as long as it isn't
>> plastered all over the media. As you can imagine it gets quite fun
>> with analytics + clobbering
> Do you have a link to a resource describing "DOM Clobbering"?  Google only
> found a single mention, your quote above:
> Maybe John should write up his "DOM Identity Theft".
> - Bil

_____________________________ | @0x6D6172696F

Received on Tuesday, 14 June 2011 06:29:20 UTC