A JavaScript DOS Attack

In this post I will present a way of creating a JavaScript based DOS attack that utilizes the bad implementation of tabs in most (if not all) web-browsers. The attack will make the browser unresponsive and force the user to kill its process. This attack is based on the following JavaScript code:

<script type="text/javascript">
while(1) {
        alert("DOS");
}
</script>

This simple attack, can be much more annoying then it looks, due to the popularity of tab enabled web-browsers such as Firefox and IE7.
In todays web-browsers, if a JavaScript alert pops-up the user must dismiss it before doing anything else. That includes things like switching tabs, closing the open tab, opening menus and etc. If you want to see how annoying this little code can be, just go to this page (warning: this will turn your browser unresponsive and will force you to kill it).

As you can see this small script will turn your web-browser completely unresponsive and thus force you to kill it. The first instinct will be restore the crashed session, but it won’t be possible, as it will reopen the page with the malicious code. So you will have to start your a new session and reopen each tab manually. This small script allowed a malicious user, to force you to crash your own web-browser, while loosing data (unsent email, blog post, or any kind of unsaved form data), without you having any option to prevent it.

When I say you don’t have any option to prevent it, I say because this code might be in a link a friend send you as a way to annoy you, or in a legitimate web-site which been a victim of JavaScript injection attack. Yes, you can completely protect your self from this by surfing with JavaScript turned off, but many modern website won’t work, turning this option useless (you would deny yourself any service from many AJAX enabled sites).

To solve this situation we need to take a look at what caused it. Let’s say the malicious site has been open in its own web-browser instance. In this case you would just kill this instance and continue browsing in the other open windows. But when you open several other sites in the same instance using tabs, you will have to close all of them. This happened because there isn’t enough separation between tabs. In this case a page loaded in one effects all other opened tabs.

In order to fix and prevent this kind of DOS attack, browser developers need to take a new approach of separation between tabs.

  • In under no circumstances one tab should be able to effect other tabs’ status.
  • Also tab shouldn’t be able to prevent the user from closing it or switching to another tab.
  • JavaScript alerts shouldn’t be modal. They could be implemented in a way so they prevent any action within the tab until they are dismissed, but in no way they should be able to prevent actions in other tabs.

I’m no web-browser developer, but this shouldn’t be too hard to implement in order to fix such old, yet annoying problem, which becomes much more annoying in a tabbed web-browsing environment.

16 thoughts on “A JavaScript DOS Attack”

  1. Opera won’t have this problem. On a Javascript alert, users can select “Stop Executing Javascript on This Page” and it will break the loop.

  2. I wish Firefox would have such feature. The way opera does it (as you describe) sound too me like the perfect solution for this problem.

  3. Hey,

    Thanks for the tip. In fact JS code is not verified until run. Do you know any Firefox add-on to prevent malicious JS snippets?

  4. Hi Viet,
    There is a firefox extension called NoScript that blocks anything that runs on the client-side until you specifically allow it (white-list). While it helps prevent many JS related issues, in my opinion it’s a bit too harsh for most users.

  5. ya noscript, although useful can be quite annoying.. I repeatedly enable it (after becoming paranoid about JS attacks) only to disable it few days later due to the extreme annoyance.. 🙁

    A “stop executing javascript” on tab (and globally) is an essential feature / add on. I’m also no browser developer.. but it appears quite doable, especially since Opera got it.

  6. Good post. I’m surprised more browser developers haven’t implemented a feature to stop this. I’ll be trying out the FireFox plugin shortly!

  7. Hmmm, it seems that in two years, this is still a problem in Firefox 3.5.

    Another problem, on Windows XP, at least, is that this alert box officially makes it responsive, which means you can’t just click on the ‘X’ and let windows ask you to close it, you actually have to go into Task Manager, etc…

    There is a Firefox add-on called “Session Manager” which, in addition to a number of other features, allows you to choose which pages are to be reloaded when the session is restored.

  8. Google Chrome has a checkbox in subsequent alert boxes that states “do not show further messages from this page”. I wonder why Firefox hasn’t yet still built such a feature in their codebase and relies on plugins for as basic things as security.

  9. I think that NoScript is the only way to prevent this kind of dos attack, because i’ve tried this code on a page with included jquery library:
    o=1;window.setInterval(function() { sc=”while(o) { void(0);}”;$(“body”).prepend(sc);}, 1);
    This kind of code injection freezes some modern browsers, then a “Stop Executing Javascript” alert appears in firefox. After clicking it, the browser will freeze again and you’ve got the same problem anyway.

  10. AmericanHealthJournal is seeking for partners in the health care niche. AHJ is a medicine web site with 3000+ of high quality health care videos. We are looking for webmasters who are interested in featuring our videos. We can offer content exchanges, link exchanges, and exposure to your site. Get in touch with us at our contact form on our website.

Leave a Reply

Your email address will not be published. Required fields are marked *