1. Web Security Academy
  2. DOM-based
  3. DOM clobbering
  4. Lab

Lab: Clobbering DOM attributes to bypass HTML filters


This lab uses the HTMLJanitor library, which is vulnerable to DOM clobbering. To solve this lab, construct a vector that bypasses the filter and uses DOM clobbering to inject a vector that alerts document.cookie. You may need to use the exploit server in order to make your vector auto-execute in the victim's browser.


The intended solution to this lab will not work in Firefox. We recommend using Chrome to complete this lab.

Find DOM-based vulnerabilities using Burp Suite

The benefits of working through PortSwigger's Web Security Academy

Get started with the Web Security Academy where you can practise exploiting vulnerabilities on realistic targets .. and its free!

Already got an account? Login here