CSS based DoS attack against web browsers

Talk about code development, features, specific bugzilla bugs, enhancements, patches, and other highly technical things.

Moderator: satrow

Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific referenced Bugzilla bugs, mercurial, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Most "bug reports" do not belong in this board and should initially be posted in Community Support or other relevant support boards.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
LigH1L
Fanatic
Fanatic
Posts: 104
Joined: 2013-02-22, 19:08
Location: NoDSL.de - rural central Germany

CSS based DoS attack against web browsers

Unread post by LigH1L » 2018-11-30, 14:28

I wonder if you already have implemented some prevention (or can imagine any "Defense in Depth") against:

https://cras.sh/
CraSSh is a cross-browser purely declarative DoS relying on poor nested CSS var() and calc() handling in modern browsers.

CraSSh affects all major browsers on desktop and mobile platforms:
  • WebKit/Blink-based -- Chrome, Opera, Safari, even Samsung Internet on their smart TVs / fridges.
    Android WebView, iOS UIWebView are also affected, meaning that any app with a built-in browser can be crashed.
  • Gecko-based -- Firefox and its forks like Tor Browser.
    Servo doesn't even start on any of my machines, so I haven't tested it.
  • EdgeHTML-based -- Edge on windows, WebView in UWP apps(does anyone use them, though?)
IE is not affected as it does not support the features CraSSh relies on but its users already have their fair share of pain.

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1110
Joined: 2014-02-02, 22:15
Location: Chicago, IL, USA

Re: CSS based DoS attack against web browsers

Unread post by Nigaikaze » 2018-11-30, 17:10

LigH1L wrote:I wonder if you already have implemented some prevention
Working on it: Issue #891 (UXP).
Nichi nichi kore ko jitsu = Every day is a good day.

LigH1L
Fanatic
Fanatic
Posts: 104
Joined: 2013-02-22, 19:08
Location: NoDSL.de - rural central Germany

Re: CSS based DoS attack against web browsers

Unread post by LigH1L » 2018-11-30, 17:16

Best wishes! :thumbup:

yami_
Astronaut
Astronaut
Posts: 505
Joined: 2018-04-26, 11:05

Re: CSS based DoS attack against web browsers

Unread post by yami_ » 2018-11-30, 17:46

It only hangs the browser for me...
cat came back from Berkeley waving flags -- rob pike

LigH1L
Fanatic
Fanatic
Posts: 104
Joined: 2013-02-22, 19:08
Location: NoDSL.de - rural central Germany

Re: CSS based DoS attack against web browsers

Unread post by LigH1L » 2018-11-30, 18:00

That's its purpose. No access to valuable data, just freezing it by allocating way too much memory and taking excess time to calculate that.

yami_
Astronaut
Astronaut
Posts: 505
Joined: 2018-04-26, 11:05

Re: CSS based DoS attack against web browsers

Unread post by yami_ » 2018-11-30, 18:12

LigH1L wrote:That's its purpose.
Oh, so it just has a stupid name... Seems that I was not the only one fooled by it: Issue #891 (uxp).
cat came back from Berkeley waving flags -- rob pike

LigH1L
Fanatic
Fanatic
Posts: 104
Joined: 2013-02-22, 19:08
Location: NoDSL.de - rural central Germany

Re: CSS based DoS attack against web browsers

Unread post by LigH1L » 2018-11-30, 18:27

Well, I used "Denial of Service" (DoS) in the title, like the description explained. That describes the effect optimally: "Application does not respond" because it hogs the CPU.

yami_
Astronaut
Astronaut
Posts: 505
Joined: 2018-04-26, 11:05

Re: CSS based DoS attack against web browsers

Unread post by yami_ » 2018-11-30, 18:39

I was thinking about the "CraSSh" name and not about your topic's title.The title is fine.
cat came back from Berkeley waving flags -- rob pike

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1110
Joined: 2014-02-02, 22:15
Location: Chicago, IL, USA

Re: CSS based DoS attack against web browsers

Unread post by Nigaikaze » 2018-11-30, 18:51

yami_ wrote:Seems that I was not the only one fooled by it
Pale Moon actually did crash for me. It hung and was unresponsive for a bit, but then finally ended up crashing.
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24622
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: CSS based DoS attack against web browsers

Unread post by Moonchild » 2018-12-01, 09:26

It will crash due to OOM.

Of note this is no more severe than any other DoS caused through recursion. The moment you give something allocation and calculation capabilities (whether it be js, css or anything else given these capabilities doesn't matter) it can be abused by people creating bad content that will cause out-of-bounds cpu/memory use. It's no different than a common mistake by JS novices calling a timeout from within a timeout, spawning endless timers recursively.
Last edited by Moonchild on 2018-12-01, 09:58, edited 1 time in total.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24622
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: CSS based DoS attack against web browsers

Unread post by Moonchild » 2018-12-01, 11:34

Trivial fix for a trivial problem. RESOLVED FIXED in the next version of our applications.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Locked