On Apr 17, 2010, at 2:49 AM, Nilesh Patil wrote:
> Hi
>
> I have one doubt about javascript that does malicious things. Consider
> following javascript.
>
> <script language="JavaScript">
> var n=unescape("%u9090");
> var
> s=unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000");
> for(var i=0;i<64;i++){
> n=n+n;
> document.write('<script>throw n+s;</scr'+'ipt>');
> }
> </script>
>
> Above code causes exception and there by causing crash. Though Chrome doesnt
> close. I am not sure what this scrpt does, but i think this is something to
> do with 'throw' in JavaScript.
> Maybe something to do with overflow.
> My doubt is,
>
> Is there any kind of handling done for above scenario which are potential for
> hacking ?
>
> I have Chrome 4.1.249.1045 (42898) on which above script crashes Chrome page.
All browsers are engineered on the assumption that everything done in JS is
malicious.
That said your example is not really "malicious":
var n = " ";
for (var i = 0; i < 64; i++) {
n = n + n; // double the string length
document.write(n)
}
Clearly this is simply a memory exhaustion issue: the memory growth will be
exponential, to display the content you would need a machine with a >64bit
address space.
In future can you avoid cross-posts to multiple lists? cheers.
--Oliver
>
> _______________________________________________
> webkit-dev mailing list
> [email protected]
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
_______________________________________________
webkit-dev mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
