TheThing

Website | Docs | Quick Start | DOM Clobbering

TheThing

A static-dynamic security analysis tool for DOM clobbering vulnerabilities based on JAW-v1 and Iroh. TheThing can be used for analyzing the client-side of web applications.

Note: The source code of TheThing has been merged with JAW, resulting in JAW-v2. Accordingly, this repository now uses JAW-v2 as a git submodule.

This project is available as open source under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE V3.0. See LICENSE for more information.

TheThing has a website available at https://soheilkhodayari.github.io/DOMClobbering.

Table of Contents

• DOM Clobbering
  • Techniques
• Overview of TheThing
  • Crawler
  • Static Analysis
  • Dynamic Analysis
• Installation
• Running
• Further Documentation
  • Building Blocks
  • Crawling
  • Static Analysis
  • Syntax Tree
  • Property Graph Nodes
  • Property Edges
  • Property Graph Querying
  • Neo4j Docker
  • Dynamic Analysis
• Contribution and Code of Conduct
• Academic Publication

✨ What is DOM Clobbering?

DOM Clobbering is an attack technique where the attacker achieves arbitrary client-side code execution by injecting a non-script HTML markup into a vulnerable webpage and transform the initially secure markup into executable code.

DOM Clobbering originates from a naming collision between JavaScript variables and named HTML markups, where attackers confuse the web application by injecting HTML elements whose id or name attribute matches the name of security-sensitive variables, such as variables used for fetching remote content (e.g., script src).

For more information, See here.

➰ Overview

TheThing comprises three building block components:

• Web Crawler: given a single seed URL of a webapp under test, collects its webpages' resources (e.g., scripts).
• Static Analyzer: detects DOM Clobbering sources and sinks and potential data flows among them.
• Dynamic Analyzer: checks the clobberability of the identified sources, and the data flows.

The architecture of the TheThing is shown below.

🏭 Installation

The source code of TheThing has been merged with JAW, resulting in JAW-v2. As such, this repository now uses JAW-v2 as a git submodule.

To clone TheThing and its submodule JAW-v2.x, you can do:

$ git clone --recurse-submodules https://github.com/SoheilKhodayari/TheThing

Alternatively, do:

$ git clone https://github.com/SoheilKhodayari/TheThing
$ cd TheThing
$ git clone https://github.com/SoheilKhodayari/JAW --branch v2.0.4  

Then, copy the JAW's content into the root directory:

$ cp -rf ./JAW/* ./

Finally, get the necessary dependencies via:

$ ./install.sh

This will install the required npm and python libraries, and the chromium driver.

Note: You can also download the pre-packaged code from the releases section or the stable branch.

🚀 Running

You can run an instance of the pipeline in a background screen via:

$ screen -dmS s1 bash -c 'python3 -m run_domclobbering --conf=config.domclobbering.yaml; exec sh'

The CLI provides the following options:

$ python3 -m run_domclobbering -h

usage: run_domclobbering.py [-h] [--conf FILE] [--site SITE] [--list LIST] [--from FROM] [--to TO]

This script runs the tool pipeline.

optional arguments:
  -h, --help            show this help message and exit
  --conf FILE, -C FILE  pipeline configuration file. (default: config.domclobbering.yaml)
  --site SITE, -S SITE  website to test; overrides config file (default: None)
  --list LIST, -L LIST  site list to test; overrides config file (default: None)
  --from FROM, -F FROM  the first entry to consider when a site list is provided; overrides config file (default: -1)
  --to TO, -T TO        the last entry to consider when a site list is provided; overrides config file (default: -1)

Configuration: TheThing expects a .yaml config file as input. See config.domclobbering.yaml for an example.

Running Building Blocks: For documentation on how to run each building block of the tool individually, see here.

🙋 Questions

For any questions, suggestions, feedback or concerns, please raise an issue in the repository.

🎃 Contribution and Code Of Conduct

Bug reports and pull requests are more than welcomed on GitHub. For more information, please refer to contribution guidelines.

This project is intended to be a safe, welcoming space, and contributors are expected to adhere to the contributor code of conduct.

📚 Documentation

Please refer to the complete documentation in docs.

📝 Academic Publication

If you use the TheThing for academic research, we encourage you to cite the following paper:

@inproceedings {SKhodayariSP23TheThing,
  author = {Soheil Khodayari and Giancarlo Pellegrino},
  title = {It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses,
  booktitle = {To Appear at proceedings of the 44th IEEE Symposium on Security and Privacy},
  year = {2023},
}