EventChecksCircumventableByInfLoops - google-caja - Invariants enforced by event handlers can be circumvented by causing the browser to turn off javascript. - Compiler for making third-party HTML, CSS and JavaScript safe for embedding

CajaVersions

Community

External articles about caja
Containers that use caja
Mailing lists
Ideas and feature requests

RefactoringToolFeatureRequests

Glossary of common terms
All wiki pages

EventChecksCircumventableByInfLoops

Invariants enforced by event handlers can be circumvented by causing the browser to turn off javascript.
Attack-Vector

Updated Feb 4, 2010 by mikesamuel@gmail.com

Effect

Malicious code that can deny service can circumvent checks that rely on code being executed.

Background

Many browsers (including IE and FF) will throttle frames that execute too much javascript without pausing. They often ask the user a question like:

Unresponsive script

A script on this page may be busy or it may have stopped responding. ...

[Stop Script] [Continue]

Assumptions

Excessive computation (such as by executing an infinite loop) is not preempted before the browser can intercede.

Security constraints are enforced via event handlers.

Security can be breached by unscripted browser behavior such as form submission.

Versions

Many including IE and FF.

Example

Consider a tamed DOM that allows forms to be used as collections of inputs but prevents them from being submitted:

<form onsubmit="foo()">...</form> → <form onsubmit="try { foo(); } finally { return false; }">...</form>

If foo is function foo() { while (1); } then the browser will eventually prompt the user to turn off scripting at which point the form will either submit, or will become submittable should the user click a button.

► Sign in to add a comment