Talk:DOM clobbering/GA1

GA Review

Latest comment: 1 month ago8 comments3 people in discussion

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

GA toolbox
Copyvio detector Authorship External links
Reviewing
Templates Criteria Instructions

Article (edit | visual edit | history) · Article talk (edit | history) · Watch

Reviewer: Elli (talk · contribs) 21:18, 19 February 2024 (UTC)Reply

Claiming this review. Will go through the article in the next few days. Elli (talk | contribs) 21:18, 19 February 2024 (UTC)Reply

@Elli are you going to work on this? RoySmith (talk) 16:57, 4 March 2024 (UTC)Reply

Sorry, just been caught up with a lot of stuff the past few weeks and haven't gotten the chance to sit down for an in-depth review. I am still planning to do this soon. Elli (talk | contribs) 17:31, 4 March 2024 (UTC)Reply

History

• In 2015, Heiderich et al. proposed a design for a library called JSAgents, (later DOMPurify) that would be effective at sanitizing markup injection attacks such as those related to cross-site scripting and DOM clobbering. do you have secondary sources for this?

I've added another source :)

• Third paragraph relies mainly on primary sources and a corporate blog post; is there anything better that could be used here?

The blog post is a guest post by Gareth Heyes, who is a subject matter expert and PortSwigger is a fairly well-known (in the field) web-security-research-oriented company that regularly features posts from experts on their blog. I personally would consider that source to be fairly reliable.

I'll try to see if I can get any reporting on the rest, however, this might be a bit difficult since such proposals rarely make it into traditional RS

• In general, this section might belong below the "Vulnerability" section? The content here (especially in the first paragraph) doesn't make a lot of sense if you don't understand what the vulnerability is.

Done :)

@Sohom Datta: I am very sorry for the delay in starting this review. I'll get to the other sections soon. Elli (talk | contribs) 19:16, 4 March 2024 (UTC)Reply

No issues, feel free to take your time :) Sohom (talk) 15:12, 5 March 2024 (UTC)Reply

Vulnerability

• Looks good, though could you point out the particular pages of "Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets" that verify the relevant content?

  Done

Example

• Specifying the page here would also be good.

  Done

Threat model

• The threat model for a DOM clobbering attack is similar to that of the web attacker model proposed by Akhawe et al. in 2010. that model hasn't been explained and isn't linked here.

The next sentence goes into the highlights of the model that are relevant to the article. Describing the whole model wouldn't be relevant to the page and I don't think we have a article for this specific model. (Hopefully once we have better coverage of this subject area, we should be able to tease out a article for it)

Defenses

• While the optimal defence against DOM clobbering would be to turn off access to named DOM elements, this is currently not feasible due to the significant active usage of these features as per Chrome telemetry data in 2021. not sure that a comment on GitHub is sufficient to establish this.

Added cite

• Maybe expand this section a bit more in general? Proper sanitation would completely mitigate this, right? (Even if no libraries exist to do so.) snyk at least indicates that using proper scoping can help and is an easy mitigation; that probably should be mentioned.

Snyk is being a bit optimistic here. However, there does seem to be some scope for expansion.

Lead

• This can lead to a skilled attacker being able to perform a variety of unwanted behaviours I'd change the wording here to be a bit clearer, such as This enables a skilled attacker to perform a variety of unwanted behaviours -- more concise.

  Done

• recent efforts to mitigate it completely have been unsuccessful due to a significant amount of usage of the underlying features across the web as of 2021 again I'd want a better cite in the body for this than a comment on GitHub.

Ditto

Overall

• This article is in pretty decent shape. Would suggest adding more specific pagenumbers to the sources (such as with {{rp}} or similar) to make verification easier. (If you do not want to do that, I would appreciate you providing the locations to me at least for easier verification.)

  Done

@Sohom Datta: I've finished the initial review. I am so sorry for the long delay in getting to all of this. Elli (talk | contribs) 20:04, 9 March 2024 (UTC)Reply

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.