I wanted to find out which HTML elements are able to overwrite javascript variables through DOM Clobbering attacks. For those who don't know, DOM Clobbering is an attack discovered a while ago, I don't no precisely who discovered it, but researcher Dr. Mario Heiderich presented it in his talk "In the DOM, no one will here you scream." With this attack it is possible to overwrite variables used in the javascript code of a page by injecting certain HTML elements and as a result the behavior of the script will change.
More about DOM Clobbering here: https://portswigger.net/web-security/dom-based/dom-clobbering
MichaĆ Bentkowski managed to find a XSS vulnerability in Gmail by using DOM Clobbering:
https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Javascript variables can be overwritten by HTML elements that use the id and name attributes. However I noticed that these attributes sometimes clobber window object properties, and some others clobber document object properties. I thought it would be useful to know specifically which combination of elements and attributes clobber those objects.
These are the results I got in Chrome, Firefox and Edge:
embed elements:
<embed id="x" name="y" />
window.x
window.y
document.y
form elements:
<form id="x" name="y">
window.x
window.y
document.y
iframe elements:
<iframe id="x" name="y">
window.x
window.y
document.y // Not clobbered in Firefox
image elements:
<image id="x" name="y">
window.x
window.y
document.x
document.y
img elements:
<img id="x" name="y">
window.x
window.y
document.x
document.y
object elements:
<object id="x" name="y">
window.x
window.y
document.x
document.y
these elements cannot do clobbering:
'body'
'caption'
'col'
'colgroup'
'frame'
'frameset'
'head'
'html'
'tbody'
'td'
'tfoot'
'th'
'thead'
'tr'
All other existing and non-existing elements clobber window properties through the id attribute.