Automating DOM Clobbering: How HULK Finds Zero-Days at Scale

TLDR: Researchers have released HULK, an automated analysis framework that uses dynamic taint analysis and concolic execution to detect and exploit DOM Clobbering vulnerabilities. By chaining these gadgets with HTML injection, the team successfully demonstrated end-to-end exploits against major platforms like JupyterLab and Canvas LMS. This research proves that DOM Clobbering is far more prevalent in modern client-side libraries than previously assumed, and it provides a roadmap for researchers to find similar bugs in their own targets.

Modern web applications are increasingly built on complex, multi-layered client-side architectures. While developers focus on securing server-side endpoints, the client-side often becomes a graveyard of forgotten security assumptions. DOM Clobbering is one of those classic vulnerabilities that has been relegated to the "too hard" pile for years. It is notoriously difficult to track manually, especially when dealing with minified, bundled JavaScript. The research presented at DEF CON 2025 changes that by shifting the burden of discovery from the researcher to an automated framework.

The Mechanics of the Clobber

At its core, DOM Clobbering exploits the browser's legacy behavior of creating global variables on the window or document object based on the id or name attributes of HTML elements. If an application relies on a global variable that is not explicitly defined, an attacker can inject an HTML element with a matching id to "clobber" that variable.

The real danger arises when this clobbered variable is used in a sensitive context, such as a script source or a configuration object. The researchers behind HULK identified that this is not just a theoretical risk. By using dynamic taint analysis, they can track how these clobbered values flow through the application logic to reach dangerous sinks. This approach bypasses the limitations of static analysis, which often fails to resolve the dynamic, aliased nature of modern JavaScript objects.

From Clobbering to Execution

Exploiting DOM Clobbering is rarely a one-step process. It usually requires a chain of gadgets. The HULK framework models this chain by breaking the exploitation process into four distinct stages:

1. Window/Document-to-DOM: The initial injection of the clobbering element.
2. DOM-to-DOM: Advanced clobbering where the injected element influences other DOM properties.
3. DOM-to-String: The transformation of the clobbered DOM element into a string, often via type coercion.
4. String-to-String: Final manipulation of the string to reach a sink like eval() or script.src.

The framework uses concolic execution to solve the constraints required to move data through these stages. If you are testing an application, you are looking for places where user-controlled HTML is rendered without proper sanitization. If you can inject an element with an id that matches a variable used in a script tag or a configuration object, you have a potential entry point.

Real-World Impact

The researchers applied HULK to the top 5,000 websites and identified 497 zero-day exploitable gadgets. This is a massive number of potential vulnerabilities hiding in plain sight. They specifically highlighted CVE-2024-43805, which affected the MathJax library used by JupyterLab. In this case, the clobbering gadget allowed an attacker to control the configuration of the library, leading to arbitrary script execution.

Another notable finding was CVE-2024-43788 in Webpack. Because Webpack is used as a bundler for countless applications, a vulnerability in its runtime code has a massive blast radius. The researchers demonstrated that by injecting a specific HTML structure, they could force the application to load scripts from an attacker-controlled domain. This is a textbook example of how a seemingly minor client-side bug can lead to full account takeover or data exfiltration.

Defensive Considerations

For those working on the defensive side, the primary takeaway is that sanitization must be context-aware. Many existing sanitizers focus on stripping dangerous tags like <script> or event handlers like onload, but they often ignore id and name attributes because they are considered benign.

If your application uses client-side libraries that rely on global configuration objects, you must ensure those objects are initialized safely. Avoid relying on global variables for critical application logic. If you must use them, ensure they are properly namespaced and initialized before any user-controlled HTML is parsed. Furthermore, implementing a strict Content Security Policy (CSP) can help mitigate the impact of successful XSS, even if a DOM Clobbering gadget is present.

What to Do Next

If you are a bug bounty hunter, start looking at how your target applications handle user-supplied HTML. If they allow any form of rich text input, you have a potential vector. Use the HULK dataset to understand the patterns of these gadgets. Don't just look for the obvious XSS payloads. Look for the subtle ways that an injected id can influence the application's global state.

The era of manual DOM Clobbering hunting is ending. Tools like HULK and DOM Invader are making it significantly easier to find these bugs at scale. The next time you are on an engagement, don't ignore the id attributes in the DOM. They might be the key to your next high-severity finding.