I wanted to find out which HTML elements are able to overwrite javascript variables through DOM Clobbering attacks. For those who don't know, DOM Clobbering is an attack discovered a while ago by researcher Dr. Mario Heiderich; it was presented in his talk "In the DOM, no one will here you scream." With this attack it is possible to overwrite variables used in the javascript code of a page and change the behavior of the script as a result.
Javascript variables can be overwritten through DOM Clobbering with HTML elements that have the id and name attributes. However I noticed that these attributes sometimes clobber window object properties, and some others clobber document object properties. I thought it would be useful to know specifically which combination of elements and attributes clobber those objects.
These are the results I got in Chrome, Firefox and Edge:
embed elements:
<embed id="x" name="y" />
window.x
window.y
document.y
form elements:
<form id="x" name="y">
window.x
window.y
document.y
iframe elements:
<iframe id="x" name="y">
window.x
window.y
document.y // Not clobbered in Firefox
image elements:
<image id="x" name="y">
window.x
window.y
document.x
document.y
img elements:
<img id="x" name="y">
window.x
window.y
document.x
document.y
object elements:
<object id="x" name="y">
window.x
window.y
document.x
document.y
these elements cannot do clobbering:
'body'
'caption'
'col'
'colgroup'
'frame'
'frameset'
'head'
'html'
'tbody'
'td'
'tfoot'
'th'
'thead'
'tr'
All other existing and non-existing elements clobber window properties through the id attribute.