DOM Globals

DOM Clobbering

The page reads `window.config.adminURL`, but that name resolves to any HTML element with `name="config"`, so an attacker comment with such a form clobbers the URL.

CWE-1321
Back to hub Reload scenario
DOM clobber probe 

  

  


      

    


    

      

        
Expected Findings

        
    
          
  • `window.config` is treated as a JS global despite being clobbered by an in-page form.
  • Comment HTML is rendered without sanitizing `name` attributes.
  • Boot script reads admin URL from the clobbered global.
    • 
        

      


      

      

        
Signals

        
        

          
Bug

          
redirectTo(window.config.adminURL)  // clobbered by <form name="config">

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.