Shazzer logo

    DOM element relationships

    The classic DOM element relationship test found in the blog post https://portswigger.net/research/dom-clobbering-strikes-back

    Created by: joaxcar

    Created on: Wednesday, April 10, 2024 at 7:46:42 AM

    Updated on: Thursday, July 25, 2024 at 1:32:27 AM

    Vector type: XSS

    Template used:
    <$[data1] id="x$[i]"><$[data2] id="y$[j]"></$[data2]></$[data1]>
    Code used after fuzz:
    document.getElementById('x$[i]') && x$[i].y$[j] && log('$[data1]->$[data2]')
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    <form->button id="x0">< id="y0"></></form->button>
    <form->fieldset id="x0">< id="y0"></></form->fieldset>
    <form->img id="x0">< id="y0"></></form->img>
    <form->input id="x0">< id="y0"></></form->input>
    <form->object id="x0">< id="y0"></></form->object>
    <form->output id="x0">< id="y0"></></form->output>
    <form->select id="x0">< id="y0"></></form->select>
    <form->textarea id="x0">< id="y0"></></form->textarea>

    Fuzz results

    Chrome logo
    Chrome 123.0.0.0 Unknown Unknown
    Found 8 results
    Data
    form->button
    Data
    form->fieldset
    Data
    form->img
    Data
    form->input
    Data
    form->object
    Data
    form->output
    Data
    form->select
    Data
    form->textarea
    Safari logo
    Safari 17.4 Unknown Unknown
    Found 8 results
    Data
    form->button
    Data
    form->fieldset
    Data
    form->img
    Data
    form->input
    Data
    form->object
    Data
    form->output
    Data
    form->select
    Data
    form->textarea
    Firefox logo
    Firefox 124.0 Unknown Unknown
    Found 8 results
    Data
    form->button
    Data
    form->fieldset
    Data
    form->img
    Data
    form->input
    Data
    form->object
    Data
    form->output
    Data
    form->select
    Data
    form->textarea