A simple assignment to self of a DOM object’s location.host property, within a simple client side embedded JavaScript, as shown below, could result in get requests inundation:
<script> location.host=location.host </script> Above could be fed as input to a simple web form (devoid of input validation checks) to demonstrate the problem. Admittedly, the problem could be alleviated with the client’s rate limiting feature. However, should this assignment be allowed? Wouldn’t it be reasonable to expect the JavaScript engine to nop this assignment? While the problem itself looks trivial on the surface, it could be creatively used. For example, search results tend to reflect back the input. What if a frivolous implementation did not properly vet the input? It could result in momentarily DDoS attacks. I stumbled on this issue several months back and tried to raise it at a different scope. Thought I would publish it here now, along with a demo. Comments welcome!
0 Comments
Leave a Reply. |
AuthorFounder of KryptoGuard™ technology initiative, product and services. Archives
June 2021
Categories |