Hijacking JavaScript with Nothing But HTML and a Quirk of the Browser
Welcome to Day 28! Today’s vulnerability is one of my favorites because it feels like magic. The target was a news site with a strict Content Security Policy (CSP) that blocked all inline scripts and only allowed scripts from trusted domains. This made classic XSS nearly impossible. The site had a comment section that allowed limited HTML tags (<a>, <img>, <div>). My goal wasn't to inject script; it was to inject structure. By abusing an ancient browser behavior called DOM Clobbering, I was able to hijack the page's JavaScript without executing a single line of code myself. The result was a full CSP bypass and a $3000 bounty.
Press enter or click to view image in full size
What is DOM Clobbering?
DOM Clobbering is an attack where HTML injection is used to overwrite JavaScript properties and variables in the global scope. It exploits the fact that browsers automatically create references to HTML elements with id or name attributes in the global window object.
The Magic Trick:
If you inject
<a id="config">, you can access it in JavaScript aswindow.config. If the app has a variable…