Quicky Firefox DoS
Well, it turns out I am speaking at Blackhat after all - plus I have an OWASP preso to do tomorrow. That makes five presos in 6 days. Shoot me now. Anyway, I was playing around with Firefox today and accidentally found a super tiny DoS for Firefox that reminded me of my childhood. Remember that math puzzle where you put one penny on one square and then two on the next and four on the next and so on? Clearly that would amount to more money than you could realistically have when you really think through it, but kids have a hard time wrapping their heads around it. This is sort of similar, except it’s not geometric, it’s linear, which was surprising that it caused Firefox so much pain. I had just assumed the JS engine in Firefox would have said that it’s running too tight of a loop and throw the “running too slow” prompt at worst - or just finish at best since it doesn’t look all that complicated:
var a;
for(i=0;i<65536;i++){
document.write(a+=String.fromCharCode(i));
}
I let this run for 10 minutes on a decent sized test machine and it never finished - I had to kill the process. Yeah, I know there are a million ways to DoS browsers, this one was just surprising because I honestly didn’t think it could. Anyway, if I don’t post before then, see you in Vegas!
July 27th, 2009 at 6:49 pm
oh,that’s funny
Firefox has some similar ting DoS bugs that can crash the browser already
July 27th, 2009 at 11:01 pm
Weirdness.
Note: While Safari gave me the long-running-script prompt for this, it failed to actually stop the script from taking over the browser about ten minutes after telling it to stop the script. I got tired of hearing my MacBook Pro impersonate a jet engine and force quit at that point.
July 27th, 2009 at 11:33 pm
Really Interesting,
I never seen a browser who don’t prompt this message”very slow script is running!”
This script does it!
We won’t use it but good thing to learn
July 28th, 2009 at 12:04 am
while(1){}
July 28th, 2009 at 5:39 am
Ummm, I think you’ll find that you meant to say either exponential or geometric, rather than logarithmic, and linear, rather than geometric, just saying.
July 28th, 2009 at 6:29 am
@rvdh - yes but I’m not spinning infinitely. I’m only iterating 65k times - I can see why yours would cause Firefox to spin for minutes on end, but not my example.
@kuza55 - yea, thanks.
July 28th, 2009 at 7:51 am
I had the same response as Shawn from IE8. It offered to kill the script but didn’t.
July 28th, 2009 at 7:53 am
And since a.length increases exponentially with i, is it not geometric?
July 28th, 2009 at 8:38 am
I like the idea of a browser DoS… so, I thought I might add some more code to the mix. Not of much use, but it is still fun to play with.
July 28th, 2009 at 8:46 am
I like the idea of a browser DoS using web workers.
Using web workers
Here is some sample code:
(index.html)
(work.js)
July 28th, 2009 at 8:51 am
It’s clearly quadratic.
July 28th, 2009 at 9:51 am
@dee - odd, my test on IE8.0 allowed me to kill it almost immediately. Not sure why it would be different on our two browsers. Maybe it’s a factor of available memory or something. And I don’t think it’s exponential since it’s just adding one character at a time. That would be linear.
July 28th, 2009 at 10:39 am
@RSnake
Here’s a screen grab from procexp.exe
http://www.flickr.com/photos/40910455@N02/3766471838/
“And I don’t think it’s exponential since it’s just adding one character at a time. That would be linear.”
Yeah, I conflated the code with some other code in my head. Another embarrassing example of why I shouldn’t try to work and play at the same time.
July 28th, 2009 at 11:09 am
RSnake, string length grows linearly but it’s written every time and that gives quadratic growth. At first, only 0 is written, then 0,1, then 0,1,2, etc. Full number of written characters after n iterations is about n^2/2.
July 28th, 2009 at 11:13 am
@stranger - gotcha, that makes more sense (because it’s being written). I guess, 2 billion chars might take a while to output.
July 28th, 2009 at 11:39 am
terminates nicely on an i7 with 12gb ram. (not mine, but reported by a friend)
July 30th, 2009 at 1:58 am
@ChosenOne
It’s just a matter of computational power vs time, if you stick in a larger number of iterations or make it grow faster (either one will do) it’ll take years on any machine…
What I don’t get is: why does it fail to kill the script after the prompt?
July 31st, 2009 at 12:14 pm
Been there. I’ve had even more reasonable scripts DDoS my browsers. I was just coding casually (it’s been a long time since I did JS, so I can’t remember what it was now), doing something with popups, I don’t think there was even a loop in there, and BAM
DoS
July 31st, 2009 at 12:14 pm
meant to write DoS first time around there. Stupid laptop keyboard
August 3rd, 2009 at 2:34 pm
how about
a=’x';while(1){a+=a}
doubles the string every iteration.
for more fun, try DOM objects instead of strings, use cloneNode to duplicate, append to itself as child (does it recursively dupe the entire subtree?). that should fuck up a browser pretty good.
brings me to another idea, would it be possible to use event bubbling to set up an escalating chain reaction in DOM event handlers?
August 4th, 2009 at 2:57 am
testing your wordpress
August 6th, 2009 at 3:56 pm
oh .. good
and this? it’s like yuor script. freeze FF and i have to kill the process
crash
var x=String.fromCharCode(120);
var a=”";
var b=”";
for(i=0;i
September 6th, 2009 at 8:01 am
My guess is that the string.concatenation function is the culprit. It will be native code that is running, trying to create a ridiculously long string, each time getting ridiculously longer. By the time the script is running long enough for the browser to realise that its a slow-running script, the string will most likely be massive enough to tie up the native processing so that the javascript itself is not causing the slow-down.
Just a thought.