Guy Rutenberg

Keeping track of what I do

A JavaScript DOS Attack

with 9 comments

In this post I will present a way of creating a JavaScript based DOS attack that utilizes the bad implementation of tabs in most (if not all) web-browsers. The attack will make the browser unresponsive and force the user to kill its process. This attack is based on the following JavaScript code:

<script type="text/javascript">
while(1) {
        alert("DOS");
}
</script>

This simple attack, can be much more annoying then it looks, due to the popularity of tab enabled web-browsers such as Firefox and IE7.
In todays web-browsers, if a JavaScript alert pops-up the user must dismiss it before doing anything else. That includes things like switching tabs, closing the open tab, opening menus and etc. If you want to see how annoying this little code can be, just go to this page (warning: this will turn your browser unresponsive and will force you to kill it).

As you can see this small script will turn your web-browser completely unresponsive and thus force you to kill it. The first instinct will be restore the crashed session, but it won’t be possible, as it will reopen the page with the malicious code. So you will have to start your a new session and reopen each tab manually. This small script allowed a malicious user, to force you to crash your own web-browser, while loosing data (unsent email, blog post, or any kind of unsaved form data), without you having any option to prevent it.

When I say you don’t have any option to prevent it, I say because this code might be in a link a friend send you as a way to annoy you, or in a legitimate web-site which been a victim of JavaScript injection attack. Yes, you can completely protect your self from this by surfing with JavaScript turned off, but many modern website won’t work, turning this option useless (you would deny yourself any service from many AJAX enabled sites).

To solve this situation we need to take a look at what caused it. Let’s say the malicious site has been open in its own web-browser instance. In this case you would just kill this instance and continue browsing in the other open windows. But when you open several other sites in the same instance using tabs, you will have to close all of them. This happened because there isn’t enough separation between tabs. In this case a page loaded in one effects all other opened tabs.

In order to fix and prevent this kind of DOS attack, browser developers need to take a new approach of separation between tabs.

  • In under no circumstances one tab should be able to effect other tabs’ status.
  • Also tab shouldn’t be able to prevent the user from closing it or switching to another tab.
  • JavaScript alerts shouldn’t be modal. They could be implemented in a way so they prevent any action within the tab until they are dismissed, but in no way they should be able to prevent actions in other tabs.

I’m no web-browser developer, but this shouldn’t be too hard to implement in order to fix such old, yet annoying problem, which becomes much more annoying in a tabbed web-browsing environment.

Share and Enjoy:
  • del.icio.us
  • StumbleUpon
  • Ma.gnolia
  • Digg
  • Facebook
  • Mixx
  • Google
  • Furl
  • Simpy

Written by Guy

November 23rd, 2007 at 12:30 am

Posted in JavaScript

« C’s “Goes To” Operator
Multibyte String Truncate Modifier for Smarty – mb_truncate »

9 Responses to 'A JavaScript DOS Attack'

Subscribe to comments with RSS or TrackBack to 'A JavaScript DOS Attack'.

  1. Opera won’t have this problem. On a Javascript alert, users can select “Stop Executing Javascript on This Page” and it will break the loop.

    AssistantX

    29 Nov 07 at 08:38

  2. I wish Firefox would have such feature. The way opera does it (as you describe) sound too me like the perfect solution for this problem.

    Guy

    29 Nov 07 at 08:41

  3. Hey,

    Thanks for the tip. In fact JS code is not verified until run. Do you know any Firefox add-on to prevent malicious JS snippets?

    Viet

    22 Mar 08 at 08:33

  4. Hi Viet,
    There is a firefox extension called NoScript that blocks anything that runs on the client-side until you specifically allow it (white-list). While it helps prevent many JS related issues, in my opinion it’s a bit too harsh for most users.

    Guy

    22 Mar 08 at 11:30

  5. ya noscript, although useful can be quite annoying.. I repeatedly enable it (after becoming paranoid about JS attacks) only to disable it few days later due to the extreme annoyance.. :-(

    A “stop executing javascript” on tab (and globally) is an essential feature / add on. I’m also no browser developer.. but it appears quite doable, especially since Opera got it.

    Amitabh

    12 Jun 08 at 03:00

  6. Do this javascript have any future? I don’t think vhost or dedicated dos is an bigger deal today.

    Christofer Abrahamsson

    17 Nov 08 at 20:15

  7. This addon for Firefox adds the ability to double-click the alert’s icon and leave the page. This prevents the page from freezing up the browser:

    https://addons.mozilla.org/en-US/firefox/addon/10422

    anonymous

    19 Mar 09 at 00:28

  8. Good post. I’m surprised more browser developers haven’t implemented a feature to stop this. I’ll be trying out the FireFox plugin shortly!

    sampablokuper

    27 Apr 09 at 15:40

  9. var x=0;
    while(1)
    {
    alert(”DOS”);
    }

    genius

    4 Jun 09 at 20:34

Leave a Reply