- Remote Denial-of-Service with Chrome
The first denial of service comes to chrome during the dawn of CVE-2008–4340 where an attacker can deliberately deliver a remote denial of service through memory consumption via carriage return (“\r\n\r\n”) argument to the “window.open()” function.. it was patched since within working hours by Google, but just recently they decided to mark DOS reports as out-of-scope, completely.
So here’s a story how i found a REMOTE denial-of-service in chrome with a similarity to CVE-2008–4340 which achieves denial-of-service via memory exhaustion.
Let’s first talk how CVE-2008–4340 works.
Well, it abuses the the carriage return \r and the newline \n via window.open function which basically instruct the browser to open more tabs along, flooding it until it hops off the memory consumption up to 99% resulting into a remote denial of service via memory exhaustion.. so how google fixed it? by blocking every requested new window.. *props to that*
So it works by crafting looped window.open function to flood the browser with requests which means more memory consumption.. and we already know that google eats up a lot of memory by nature..
So during the year of 2016–2017 as i can’t remember, i found a guy that reported a browser issue on brave by hanging the browser with window.open function through setInterval() method.. pretty much works like a loop too as in the CVE-2008–4340 :)) but the method didn’t work on chrome, instead of me ended up finding chessy bug on brave’s payment page not bad at all :D
Years later, with constant chrome update and stability update I came again with the code snippet:
the above script would just basically reload the page with every 1000 miliseconds delay.
at every page reload..
Chrome would literally have to block each window.open() function at every 1000 milliseconds which eats up a lot of memory making each blocks useless.
Anyone can be targeted with this, and it works on all devices.. Mac, Linux, Windows, and Android :))
*reported to google. this is remediated by now.