CSS based DoS attack against web browsers

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
LigH1L
Fanatic
Fanatic
Posts: 122
Joined: 2013-02-22, 19:08
Location: rural central Germany

CSS based DoS attack against web browsers

Unread post by LigH1L » 2018-11-30, 14:28

I wonder if you already have implemented some prevention (or can imagine any "Defense in Depth") against:

https://cras.sh/
CraSSh is a cross-browser purely declarative DoS relying on poor nested CSS var() and calc() handling in modern browsers.

CraSSh affects all major browsers on desktop and mobile platforms:
  • WebKit/Blink-based -- Chrome, Opera, Safari, even Samsung Internet on their smart TVs / fridges.
    Android WebView, iOS UIWebView are also affected, meaning that any app with a built-in browser can be crashed.
  • Gecko-based -- Firefox and its forks like Tor Browser.
    Servo doesn't even start on any of my machines, so I haven't tested it.
  • EdgeHTML-based -- Edge on windows, WebView in UWP apps(does anyone use them, though?)
IE is not affected as it does not support the features CraSSh relies on but its users already have their fair share of pain.
Fun and success!

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1322
Joined: 2014-02-02, 22:15
Location: Chicagoland

Re: CSS based DoS attack against web browsers

Unread post by Nigaikaze » 2018-11-30, 17:10

LigH1L wrote:I wonder if you already have implemented some prevention
Working on it: Issue #891 (UXP).
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
LigH1L
Fanatic
Fanatic
Posts: 122
Joined: 2013-02-22, 19:08
Location: rural central Germany

Re: CSS based DoS attack against web browsers

Unread post by LigH1L » 2018-11-30, 17:16

Best wishes! :thumbup:
Fun and success!

yami_

Re: CSS based DoS attack against web browsers

Unread post by yami_ » 2018-11-30, 17:46

It only hangs the browser for me...

User avatar
LigH1L
Fanatic
Fanatic
Posts: 122
Joined: 2013-02-22, 19:08
Location: rural central Germany

Re: CSS based DoS attack against web browsers

Unread post by LigH1L » 2018-11-30, 18:00

That's its purpose. No access to valuable data, just freezing it by allocating way too much memory and taking excess time to calculate that.
Fun and success!

yami_

Re: CSS based DoS attack against web browsers

Unread post by yami_ » 2018-11-30, 18:12

LigH1L wrote:That's its purpose.
Oh, so it just has a stupid name... Seems that I was not the only one fooled by it: Issue #891 (uxp).

User avatar
LigH1L
Fanatic
Fanatic
Posts: 122
Joined: 2013-02-22, 19:08
Location: rural central Germany

Re: CSS based DoS attack against web browsers

Unread post by LigH1L » 2018-11-30, 18:27

Well, I used "Denial of Service" (DoS) in the title, like the description explained. That describes the effect optimally: "Application does not respond" because it hogs the CPU.
Fun and success!

yami_

Re: CSS based DoS attack against web browsers

Unread post by yami_ » 2018-11-30, 18:39

I was thinking about the "CraSSh" name and not about your topic's title.The title is fine.

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1322
Joined: 2014-02-02, 22:15
Location: Chicagoland

Re: CSS based DoS attack against web browsers

Unread post by Nigaikaze » 2018-11-30, 18:51

yami_ wrote:Seems that I was not the only one fooled by it
Pale Moon actually did crash for me. It hung and was unresponsive for a bit, but then finally ended up crashing.
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: CSS based DoS attack against web browsers

Unread post by Moonchild » 2018-12-01, 09:26

It will crash due to OOM.

Of note this is no more severe than any other DoS caused through recursion. The moment you give something allocation and calculation capabilities (whether it be js, css or anything else given these capabilities doesn't matter) it can be abused by people creating bad content that will cause out-of-bounds cpu/memory use. It's no different than a common mistake by JS novices calling a timeout from within a timeout, spawning endless timers recursively.
Last edited by Moonchild on 2018-12-01, 09:58, edited 1 time in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: CSS based DoS attack against web browsers

Unread post by Moonchild » 2018-12-01, 11:34

Trivial fix for a trivial problem. RESOLVED FIXED in the next version of our applications.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked