DOM Clobbering Generator

An online version of the tool can be found at:

Example of usage

Getting started

DOM Clobbering is a vulnerability that originates from a naming collision between JavaScript variables and named HTML markups, where browsers replace pre-existing content of an undefined variable with an HTML element when the element's id (or name) attribute match.

Attribute id

Example with a random tag with a id attribute:

<h1 id="hd">Super title !</h1>

console.log(hd);            // <h1 id="hd">Super title !</h1>
console.log(window.hd);     // <h1 id="hd">Super title !</h1>
console.log(document.hd);   // undefined
console.log(hd.toString()); // [object HTMLHeadingElement]
console.log(hd.innerText);  // Super title !

Attribute name

Example with a form tag with a name attribute:

<form name="fm" method="GET" action="/login"></form>

console.log(fm);          // <form name="fm"></form>
console.log(;   // <form name="fm"></form>
console.log(; // <form name="fm"></form>
console.log(fm.method);   // get
console.log(fm.action);   // http://localhost/login

List of tags which supports the name attribute:

  • embed, form, iframe, image, img, object

Depth 1

  • Set to
<a id="link" href=""></a>

Depth 2

  • Set video.lang to Hello!
<a id="video" lang="Hello!"></a>
<form id="video" lang="Hello!"></form>
<form name="video" lang="Hello!"></form>
<input id="video" lang="Hello!"></input>
<iframe id="video" lang="Hello!"></iframe>
<iframe name="video" lang="Hello!"></iframe>
<a id="video"></a><a id="video" name="lang" href="a:Hello!"></a>

Depth 3

  • Set users.permission.role to admin
<form id="users" name="permission">
    <input id="role" value="admin">
<form id="users">

Depth 4

  • Set music.metadata.sound.max to 100%
<form id="music" name="metadata">
    <input id="sound" max="100%">
<form id="music">

Special Attributes

