Comments on: Firefox history DOS attack http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/ A tool for designers dealing with programmers dealing with designers... Fri, 10 Sep 2010 16:26:34 +0000 http://wordpress.org/?v=2.6.2 By: Jesse Ruderman http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-858 Jesse Ruderman Sun, 18 Nov 2007 07:31:10 +0000 http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-858 Jophn, I'd start by reading old bugs in bugzilla.mozilla.org about JavaScript recursion limits, and then using those bug reports to find the relevant source code. Once you understand how they work, you might have enough information to fix the bug, or you might not -- it might require knowledge of XBL or something. I don't know, I'm more a tester than a Gecko developer ;) Jophn, I’d start by reading old bugs in bugzilla.mozilla.org about JavaScript recursion limits, and then using those bug reports to find the relevant source code. Once you understand how they work, you might have enough information to fix the bug, or you might not — it might require knowledge of XBL or something. I don’t know, I’m more a tester than a Gecko developer ;)

]]> By: Jophn Deo http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-857 Jophn Deo Sat, 17 Nov 2007 18:08:46 +0000 http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-857 Does anyone have a study hint in order to fully appreciate the technical implications? Does anyone have a study hint in order to fully appreciate the technical implications?

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-841 Gareth Heyes Fri, 16 Nov 2007 09:13:49 +0000 http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-841 Hey Jesse No problem! Yeah I figured it would work on any object but the history one was the one I was testing at the time. Hey Jesse

No problem! Yeah I figured it would work on any object but the history one was the one I was testing at the time.

]]> By: Jesse Ruderman http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-840 Jesse Ruderman Fri, 16 Nov 2007 07:58:51 +0000 http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-840 Thanks for discovering and reporting this clever way to confuse Firefox with recursion. I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=403999 with a clearer testcase -- you can use any object, even ({}), in place of the history object. Thanks for discovering and reporting this clever way to confuse Firefox with recursion. I’ve filed https://bugzilla.mozilla.org/show_bug.cgi?id=403999 with a clearer testcase — you can use any object, even ({}), in place of the history object.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-837 Gareth Heyes Thu, 15 Nov 2007 11:47:12 +0000 http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-837 Accessing body or innerHTML causes a permission error. Accessing body or innerHTML causes a permission error.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-836 Gareth Heyes Thu, 15 Nov 2007 11:46:17 +0000 http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-836 Here's my new attempt:- window.onload = function() { newElement = document.createElement('iframe'); newElement.src = 'http://www.google.co.uk/'; newElement.id = 'iframe'; newElement.onload = function() { var doc = this.contentWindow.document; this.__defineGetter__('contentWindow',function() { return doc }); x = this.contentWindow; delete this.contentWindow; delete doc; alert(x); } document.body.appendChild(newElement); } Doesn't work though :( Here’s my new attempt:-
window.onload = function() {
newElement = document.createElement(’iframe’);
newElement.src = ‘http://www.google.co.uk/’;
newElement.id = ‘iframe’;
newElement.onload = function() {
var doc = this.contentWindow.document;
this.__defineGetter__(’contentWindow’,function() { return doc });
x = this.contentWindow;
delete this.contentWindow;
delete doc;
alert(x);
}
document.body.appendChild(newElement);
}

Doesn’t work though :(

]]> By: .mario http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-835 .mario Thu, 15 Nov 2007 10:14:15 +0000 http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-835 Yep - the holy grail of SOP. I've been trying various approaches recently but haven't had any success yet. My last attempt was to fill iframes with HTML via this.innerHTML='payload' in the src attribute and trying to access the rendered content after a timeout. But Firefox manages to handle it too - any property inside contentWindow is access restricted. Yep - the holy grail of SOP. I’ve been trying various approaches recently but haven’t had any success yet.

My last attempt was to fill iframes with HTML via this.innerHTML=’payload’ in the src attribute and trying to access the rendered content after a timeout. But Firefox manages to handle it too - any property inside contentWindow is access restricted.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-831 Gareth Heyes Wed, 14 Nov 2007 21:48:08 +0000 http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-831 Thanks :) yeah that's my plan, I'm not sure it's possible because the objects are spoofed getters. I'm having fun trying though Thanks :) yeah that’s my plan, I’m not sure it’s possible because the objects are spoofed getters. I’m having fun trying though

]]> By: Awesome AnDrEw http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-830 Awesome AnDrEw Wed, 14 Nov 2007 21:43:50 +0000 http://www.thespanner.co.uk/2007/11/14/firefox-history-dos-attack/#comment-830 Nice work, Gareth. I'm really pulling that you figure out a way to break the same origin policy simply because it would be quite impressive. Nice work, Gareth. I’m really pulling that you figure out a way to break the same origin policy simply because it would be quite impressive.

]]>