DOM Clobbering and Prototype Pollution

DOM clobbering exploits how browsers create global variables from element IDs and names, potentially overwriting security-critical JavaScript variables. By injecting HTML elements with specific IDs, attackers can redefine variables or functions that security code relies on. For example, creating an element with id="CSRF_TOKEN" might overwrite a global CSRF token variable, breaking security measures. This technique is particularly effective against legacy code that uses global variables extensively.

Prototype pollution in the browser context can enable XSS in applications that wouldn't normally be vulnerable. By polluting Object.prototype or other built-in prototypes, attackers can inject properties that are later used in dangerous ways. For example, if an application uses element.innerHTML = options.content || '', polluting Object.prototype.content could inject malicious HTML even when options is an empty object. Modern frameworks are generally resistant to prototype pollution, but legacy code and certain patterns remain vulnerable.

These advanced techniques often combine multiple bypass methods. An attacker might use DOM clobbering to disable security functions, prototype pollution to inject payloads, and encoding tricks to bypass filters. The combination of techniques makes detection and prevention more challenging, requiring defense-in-depth approaches rather than relying on single security measures.