Security: 'img' tag src attribute ddos/botnet
Reported by
insanama...@gmail.com,
Jan 1 2017
|
|||||||||
Issue descriptionVULNERABILITY DETAILS I have sucessfully written a program that uses a client's browser to spam a website with GET request. It works by adding multiple 'img' tags to the current HTML document. The 'img' tag is generated with a src attribute of the target and a '/i' at the end of the url where i represents an integer. I have tested it against a python server and I was able to confirm that it does work. VERSION Chrome Version: all Operating System: all REPRODUCTION CASE All files used will be attached to this message. I managed to write a node.js/socket.io browser based botnet using this exploit. To start it, make sure to install node and npm, then open a command promt/terminal at the extracted folder location and type 'npm install' and 'npm install ejs'. Once all the modules are installed on your local machine, run the index.js file using node (cmd: node index.js). If no errors occur, navigate to localhost:3000 in your web browser and login in with (username: datboi / password: 0e1b8b3ef01dad60a89c3b16b6eeff54). Once you have logged in, you will see that there is 1 bot connected, you. If you want to add more bots, open another tab and navigate to localhost:3000/client. Enter your target (the python server) as http://localhost:2000/ and it will print out every request that it receives. PATCH You would have to change the cross domain request policy for anything with the 'src' attribute, causing disruption all over the web. The other option is to limit the amount of images that can be loaded by javascript code (reasonable). I plan on sharing my findings with the internet community of programmers.
,
Jan 3 2017
Sorry for the late reply, I had work all day yesterday. Anyway, assuming a nginx server can handle up to 500,000 request per second, and a bot can be modified to send up to 1000 request per second (change the setInterval time to 1), if the bots can handle it, I would assume the minimum amount of bots would be 500. However, with the current settings, each bot sends about 40 request per second. This would mean it would take about 12,500 bots to take out a high end nginx server. Keep in mind that by default the nginx server bottlenecks at about 50,000 request per second. In a side note, restricting cross domain request in all src attributes would affect the web development community very negatively. My suggestion is change the src request protocol by having the client browser download a file that specifies what files can be retrieved, then before sending a request to a website, make sure that it is specified as retrievable. Once the file has been retrieved, it can be accessed through cache memory instead of sending more request.
,
Jan 9 2017
mkwst/jww/estark: Do you have any thoughts on this issue?
,
Jan 11 2017
This isn't something we'd usually consider a security vulnerability, so I'm removing the labels. Will leave it open for the ccs to take a look, but I'm not sure if we can realistically do anything here.
,
Jan 25 2017
,
Feb 16 2017
You can do the same thing with fetch() function. A server can inspect Origin header with "crossorigin" attribute to mitigate the risk.
,
Mar 3 2017
Well it was a fun project. It's currently listed on my github (https://github.com/Tino-F/srcnet). |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by mmoroz@chromium.org
, Jan 2 2017Labels: Needs-Feedback