Wednesday, August 26, 2009

DOS attack on Firefox

Denial of Service (DOS) Attack for Firefox
It is caused by consuming memory on user computer.
The main reason, why this attack is possible on Firefox is insufficient memory check at document.write function.
The parser first builds DOM tree on received input before it is displayed to user (or it is given to rendering unit). Following code consumes all available memory on your system, if you have quad-core processor with 4GB RAM then following code will terminate on that machine after few hours. (approx, 8 to 10 hrs)

The sample code is given below:
var a;
for (var i=0; i < 32000; i++) {
document.write(a+=i));
}
document.write("Terminated");
 

Backtrace is as follows:
nsScannerString::AppendBuffer()
nsScanner::AppendToBuffer()
nsScanner::Append()
nsParser::Parse()
nsHTMLDocument::WriteCommon()
nsHTMLDocument::ScriptWriteCommon()
nsHTMLDocument::Write()

Chrome browser uses behavior analysis to detect unresponsive scripts/programs.
Function call analysis will not work correctly on such kind of examples, bcoz attacker can create the same effect (DOS attack) in many different ways.
Mozilla has dom.max_script_run_time variable which is set 10 by default. In debug mode, Firefox would prompt user with a warning against that unresponsive script; however, this warning does not appear in normal mode and the script hangs Firefox (or even the whole system) after some time. In another word, Firefox has built-in check for unresponsive script, but this mechanism somehow just won't work for this example in normal mode. 
I tested the above code in Internet Explorer, but IE show a pop-up window and ask user, he want to terminate the script  or want to continue the execution of script. I think that's the expected behaviour. 

No comments:

Post a Comment