Page 1 of 1

CSS based DoS attack against web browsers

Posted: 2018-11-30, 14:28
by LigH1L
I wonder if you already have implemented some prevention (or can imagine any "Defense in Depth") against:

https://cras.sh/
CraSSh is a cross-browser purely declarative DoS relying on poor nested CSS var() and calc() handling in modern browsers.

CraSSh affects all major browsers on desktop and mobile platforms:
  • WebKit/Blink-based -- Chrome, Opera, Safari, even Samsung Internet on their smart TVs / fridges.
    Android WebView, iOS UIWebView are also affected, meaning that any app with a built-in browser can be crashed.
  • Gecko-based -- Firefox and its forks like Tor Browser.
    Servo doesn't even start on any of my machines, so I haven't tested it.
  • EdgeHTML-based -- Edge on windows, WebView in UWP apps(does anyone use them, though?)
IE is not affected as it does not support the features CraSSh relies on but its users already have their fair share of pain.

Re: CSS based DoS attack against web browsers

Posted: 2018-11-30, 17:10
by Nigaikaze
LigH1L wrote:I wonder if you already have implemented some prevention
Working on it: Issue #891 (UXP).

Re: CSS based DoS attack against web browsers

Posted: 2018-11-30, 17:16
by LigH1L
Best wishes! :thumbup:

Re: CSS based DoS attack against web browsers

Posted: 2018-11-30, 17:46
by yami_
It only hangs the browser for me...

Re: CSS based DoS attack against web browsers

Posted: 2018-11-30, 18:00
by LigH1L
That's its purpose. No access to valuable data, just freezing it by allocating way too much memory and taking excess time to calculate that.

Re: CSS based DoS attack against web browsers

Posted: 2018-11-30, 18:12
by yami_
LigH1L wrote:That's its purpose.
Oh, so it just has a stupid name... Seems that I was not the only one fooled by it: Issue #891 (uxp).

Re: CSS based DoS attack against web browsers

Posted: 2018-11-30, 18:27
by LigH1L
Well, I used "Denial of Service" (DoS) in the title, like the description explained. That describes the effect optimally: "Application does not respond" because it hogs the CPU.

Re: CSS based DoS attack against web browsers

Posted: 2018-11-30, 18:39
by yami_
I was thinking about the "CraSSh" name and not about your topic's title.The title is fine.

Re: CSS based DoS attack against web browsers

Posted: 2018-11-30, 18:51
by Nigaikaze
yami_ wrote:Seems that I was not the only one fooled by it
Pale Moon actually did crash for me. It hung and was unresponsive for a bit, but then finally ended up crashing.

Re: CSS based DoS attack against web browsers

Posted: 2018-12-01, 09:26
by Moonchild
It will crash due to OOM.

Of note this is no more severe than any other DoS caused through recursion. The moment you give something allocation and calculation capabilities (whether it be js, css or anything else given these capabilities doesn't matter) it can be abused by people creating bad content that will cause out-of-bounds cpu/memory use. It's no different than a common mistake by JS novices calling a timeout from within a timeout, spawning endless timers recursively.

Re: CSS based DoS attack against web browsers

Posted: 2018-12-01, 11:34
by Moonchild
Trivial fix for a trivial problem. RESOLVED FIXED in the next version of our applications.