I'm not sure wether being able to slow, DoS or crash a browser is worth talking about in a security forum. Sure, if it was any other network related program, it would deserve a mention, and probably even a fix. But browsers are such bloated beasts, they are really expected to crash. I suspect every web developer that has to get his code to work on multiple browsers knows at least half a dozen ways to do so on each version, although they don't think of it as neat 0-day exploits, but just as bugs they have to work around to have their stuff working right. Maybe that will change over time as more stable browsers come out, and then people will stop thinking it's normal for a browser to crash or misbehave in any way. Now, while I'm here.. a limitation with your attack is that your web server has to send a lot of data to hurt the browser a bit. Using client-side scripting would make it a lot faster to send, while achieving the same result. <script>for(b="A";1;b+=b);</script> For example, that script create strings of 1, 2, 4, 8, 16, ... characters. Only the latest computed string has a reference to it, so every previous strings should eventually get garbage collected. This one-liner makes netscape 4 jump, and apparently stay, to 150M on linux, but doesn't kill it (I'm sending this mail from the same instance) Opera 4 wasn't that lucky, and died shortly after reaching 50M. Henri --- Xander Teunissen <Ueberschimat_private> wrote: > Hi y'all, > > I was working on a plugin thingie for a certain browser which uses > some html form fields and couldn't help wondering about the way these > get handled in memory. > > More specifically, when for example a textfield gets filled out with > one value or another or has one predefined, this obviously has to be > stored somewhere, at least until the form is posted. Most > browsers/email clients etc however don't seem to apply any limits to > this value, which could potentially eat away a lot of memory. What is > to stop someone from putting something like > > <? > > $i = 1; > $n = "rather bloody huge amount of data"; > > while ($i > 0) { > > echo "<form><input type=\"text\" value=\"$n\"></form>"; > > } > > ?> > > together? ("Ethics"? No such animal I'm afraid..) > > If $n is sufficiently large, this eats through the available memory > (and a lot of CPU cycles) way before you even start considering to > stop the page from loading. (yeah yeah there's always someone with > better reflexes, not my point here though :) Even though in above the > fact that it's looping isn't helping either (I just wanted a quick > example), the size of the value has a lot to say about it as well > (otherwise try a lot of text boxes with long predefined values on 1 > page instead of looping). > > On my box's local webserver the memory didn't get freed from the > browser process until another page was loaded or the browser got > killed (of course if you'd want to put this in an email message php > wouldn't work but surely we're creative enough to get past that). > From a remote machine the browser process eventually seemed to > consume less but the overall performance did go down the drain > (talking MSIE5 Win2k/Solaris versions and Netscape 4 to 6 same > versions here). > > Riddle me how, riddle me why (or if this has already been discussed > to death, humor me) , how to deal with this? (since none of the to me > available browsers do :( ) Is it even possible to limit this or is > it just the way the implementation goes? > > Cheers, > > Xander > > _____________________________________________________________ > Sign up for FREE email from Schimmetje.com at http://www.schimmetje.com __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Sat Jun 23 2001 - 20:08:25 PDT