Monday, December 12, 2011

Javascript Exploit: setTimeout

When I was messing around with some javascript animation, I came across a rather strange exploit in javascript that can be taken advantage of to cause a little havoc on browsers. A quick explanation of javascript, when using an alert or other popup, that popup will pause the execution of the script until it is dealt with. However, setTimeout spawns another. This means using setTimeout, you can spawn multiple alert boxes or other such things that will pause and wait for input.

So then the question is how to use this to an exploit. A quick rough version would be something like
while (1){
  setTimeout(function (){
    alert("");
  }, 0);
}
This will create an infinite loop that will spawn alert boxes really fast, and probably freeze up or crash a browser. However due to browsers keeping javascript "sandboxed" for protection, there is a chance it will just say the script stopped responding and suspend it. This sandbox effect is to keep scripts from being able to interact with any other tabs or windows the user might have open as well as personal data stored, while not perfect, it can prevent certain exploits from causing damage.

Now alternatively, we could create a fork bomb. A fork bomb will multiply processes exponentially as apposed to what we have setup where it just increases directly. That will end up looking something like this.
function fork() {
  while (1){
    alert("");
    setTimeout(fork, 0);
  }
} fork();
This will then keep doubling but the effect will most likely be it just stops responding faster due to the sandbox setup. This could also have uses as this will fake multithreading by faking concurrency. So fake multithreading exploit is the bottom line.

No comments:

Post a Comment

Tag Cloud

.NET (2) A+ (5) ad ds (1) addon (4) Android (4) anonymous functions (1) application (9) arduino (1) artificial intelligence (1) backup (1) bash (6) camera (2) certifications (3) comptia (5) css (2) customize (11) encryption (3) error (13) exploit (5) ftp (1) funny (4) gadget (4) games (3) GUI (5) hardware (16) haskell (6) help (14) HTML (3) imaging (2) irc (1) it (1) java (2) javascript (13) jobs (1) Linux (19) lua (1) Mac (4) malware (1) math (6) msp (1) network (13) perl (2) php (3) plugin (2) powershell (8) privacy (2) programming (24) python (10) radio (2) regex (3) repair (2) security (16) sound (2) speakers (2) ssh (1) story (5) Techs from the Crypt (5) telnet (1) tools (13) troubleshooting (11) tutorial (9) Ubuntu (4) Unix (2) virtualization (2) web design (6) Windows (16) world of warcraft (1) wow (1) wx (1)