CSS based DoS attack against web browsers
Posted: 2018-11-30, 14:28
I wonder if you already have implemented some prevention (or can imagine any "Defense in Depth") against:
CraSSh is a cross-browser purely declarative DoS relying on poor nested CSS var() and calc() handling in modern browsers.
CraSSh affects all major browsers on desktop and mobile platforms:
IE is not affected as it does not support the features CraSSh relies on but its users already have their fair share of pain.
- WebKit/Blink-based -- Chrome, Opera, Safari, even Samsung Internet on their smart TVs / fridges.
Android WebView, iOS UIWebView are also affected, meaning that any app with a built-in browser can be crashed.
- Gecko-based -- Firefox and its forks like Tor Browser.
Servo doesn't even start on any of my machines, so I haven't tested it.
- EdgeHTML-based -- Edge on windows, WebView in UWP apps(does anyone use them, though?)