Open Bug 1311306 Opened 5 years ago Updated 2 years ago
DDOS target website on Clicking a single link of distributed malicious HTML in Firefox
Just realized we can also use the above loophole to cause DDOS on any third party websites. Attached script will open twitter1...twitter99 on one single user click. Scary part is User will not see twitter1..twitter98 so he would never realize that his network is sending several request to twitter. This attack intensity would increase as more people click on the link. The above script will show you twitter5.com in the last since i placed a confirm box on twitter4.com a onclick. So an attacker can define the endpoint by simply using an alert or confirm box. Now since we can use this to attack other website, so can we consider this as valid security bug.
Summary: Client Browser Denial of Service → DDOS target website on Clicking a single link of distributed malicious HTML in Firefox
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20161019084923 Hi Anurag, I have tested your issue on latest FF release (49.0.1) and latest Nightly (Build ID: 20161024030205) and reproduced it. Using the html attachment from Firefox.zip, the memory increased up to 4.4 GB (please see attachment) , Firefox just freezed,without crashing. At first glance this issue could start in Security component.
Thanks roxana for the check :) The part I am much scared is becoming a part of a DDOS attack by just clicking on the link as shown in a.html (Simply posting a viral post with infected link on facebook can initiate a serious chain of attack to the targeted website) Chrome also has the problem of freeze but somehow it manages to send only one link on the network and cancel the rest several calls thus saving the user from becoming a ddos node. Just a suggestion, It would be great if we could use similar strategy along with saving victim resources.
Hi, Any update on this issue? Thanks
Hi, I have tested this issue on newest FF release. After the update, from Firefox.zip, the memory increased up to 4.4 GB, Firefox just freezed,without crashing. Didn't understand what is going on. Later I found this: https://reviewedbypro.com/what-is-critical-firefox-update-and-how-to-remove-it/ Be carefull
You need to log in before you can comment on or make changes to this bug.