Browser DDOS Vulnerabilities

From Kicksecure
Jump to navigation Jump to search

Can browser be frozen by heavy JavaScript as an attack? Other vulnerabilities? What happens if JavaScript is constantly fetched or if the browser's DOM is 1 GB++ large?

Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.

Browser DDOS Vulnerabilities[edit]

  • Vulnerabilities
    1. Infinite Loops / Infinite Recursion : while(true) {} can cause the browser to freeze and function recursive() { recursive(); } can crash the browser due to stack overflow. There are safeguards in place in modern browsers but it's still a risk especially if combined with other attacks
    2. Memory consumption : By creating an extremely large DOM or an extremely large array the memory can be consumed leading to slowdown of the OS or crash of the browser
    3. Fetching humongous data : Constantly / infinitely fetching giant data files can slow down the browser or freeze it
    4. Forced reflows and layouts : By constantly changing huge parts of the layout of the page in short intervals the browser can be slowed down
    5. iframe overload : Creating a huge amount of iframes - even without source - and adding them to the page can slow down the browser
    6. iframe inception : an iframe references the same page it is on, which in turn creates another iframe that references the same page, and so on. This can lead to an infinite loop, causing the browser to consume significant resources and potentially become unresponsive or crash.
  • These are the most common and even some less likely DDOS vulnerabilites for the browser. Most modern browsers are safeguarded against this as much as possible. But as there is often no way to differentiate if a huge memory consumption is benevolent or malevolent the browser has to accept most of these commands
  • In the past Javascript was more powerful in the browsers giving it some OS access. But due to virusses and malware all browsers now use a sandbox to severely limit Javascript capabilities

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!