In the DOM We Trust: Exploring the Hidden Dangers of Reading from the DOM on the Web

Abstract

The DOM tree is a central part of modern web development, enabling JavaScript to interact with page content and structure. Only a few prior studies have studied its trustworthiness, despite its widespread use in guiding program logic and security decisions. Most notably, script gadgets have shown how this trust can be exploited by triggering the execution of benign JavaScript fragments with seemingly harmless markup injections. In this paper, we show that script gadgets are only the tip of the iceberg. Seemingly-benign markup injections can trigger the execution of fragments - that we call DOM gadgets - that, unlike script gadgets, do not necessarily result in a cross-site scripting vulnerability. Instead, they can result in a broader set of attacks, such as browser request hijacking attacks, cross-site request forgery attacks, and user interface manipulations.

In this paper, we introduce an automated approach that combines static and dynamic analysis to detect DOM gadgets, tracing flows from the DOM to security-sensitive sinks, and assessing the presence of validation or sanitization checks. We conduct a large-scale web crawl across the top 15k domains and identify 2.6 million DOM-to-sink data flows that could lead to DOM gadget exploitation.
We complement this by automatically detecting markup injection vulnerabilities, finding 657 DOM gadgets on 37 sites with the markup injection vulnerability required to exploit the DOM gadget.
We further analyze these flows to assess the presence and effectiveness of security checks, revealing that 10% of DOM gadget flows receive no validation or sanitization checks. Our results indicate that DOM-based input trust is both widespread and underprotected. Our work highlights the scale and diversity of DOM gadget vulnerabilities in the wild, motivating a rethink of the DOM's role in web application trust boundaries and offering tools to aid in their identification and mitigation.