kryptoguard.com
  • Home
  • What We Do
  • What We Think
    • KryptoGuard™ Blog
    • KryptoGuard™ Developer Zone Blog
  • Who We Are
  • KryptoGuard™ Technology Initiative
    • What is it?
    • Do I Qualify?
  • KryptoGuard™ Technology Services
    • What is it?
    • Can you help?

​KryptoGuard™ Developer Zone

Should assigning location.host to self be a nop within a JavaScript?

6/25/2021

0 Comments

 
A simple assignment to self of a DOM object’s location.host property, within a simple client side embedded JavaScript, as shown below, could result in get requests inundation:
                                     <script> location.host=location.host </script>
Above could be fed as input to a simple web form (devoid of input validation checks) to demonstrate the problem.  Admittedly, the problem could be alleviated with the client’s rate limiting feature.  However, should this assignment be allowed?  Wouldn’t it be reasonable to expect the JavaScript engine to nop this assignment?  While the problem itself looks trivial on the surface, it could be creatively used.  For example, search results tend to reflect back the input.  What if a frivolous implementation did not properly vet the input?  It could result in momentarily DDoS attacks.

I stumbled on this issue several months back and tried to raise it at a different scope.  Thought I would publish it here now, along with a demo.  Comments welcome!
0 Comments



Leave a Reply.

    Author

    Founder of KryptoGuard™ technology initiative, product and services.

    Archives

    June 2021
    April 2021
    December 2020
    July 2020
    June 2019
    November 2018
    October 2018
    August 2018
    July 2018
    June 2018

    Categories

    All
    Debuggers
    Device Driver
    Intel
    OllyDbg
    PHP
    Windows

    RSS Feed

Site powered by Weebly. Managed by SiteGround
Photo used under Creative Commons from wocintechchat.com
  • Home
  • What We Do
  • What We Think
    • KryptoGuard™ Blog
    • KryptoGuard™ Developer Zone Blog
  • Who We Are
  • KryptoGuard™ Technology Initiative
    • What is it?
    • Do I Qualify?
  • KryptoGuard™ Technology Services
    • What is it?
    • Can you help?