[webkit-dev] Regarding malicious javascript detection

[Oliver Hunt]

On Apr 17, 2010, at 2:49 AM, Nilesh Patil wrote:

> Hi
> 
> I have one doubt about javascript that does malicious things. Consider following javascript.
> 
> <script language="JavaScript">
>     var n=unescape("%u9090");
>     var s=unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000");
>     for(var i=0;i<64;i++){
>         n=n+n;
>         document.write('<script>throw n+s;</scr'+'ipt>');
>     }
> </script>
> 
> Above code causes exception and there by causing crash. Though Chrome doesnt close. I am not sure what this scrpt does, but i think this is something to do with 'throw' in JavaScript.
> Maybe something to do with overflow.
> My doubt is,
> 
> Is there any kind of handling done for above scenario which are potential for hacking ?
> 
> I have Chrome 4.1.249.1045 (42898)  on which above script crashes Chrome page.

All browsers are engineered on the assumption that everything done in JS is malicious.

That said your example is not really "malicious":
var n = " ";
for (var i = 0; i < 64; i++) {
    n = n + n; // double the string length
    document.write(n)
}
Clearly this is simply a memory exhaustion issue: the memory growth will be exponential, to display the content you would need a machine with a >64bit address space.

In future can you avoid cross-posts to multiple lists? cheers.

--Oliver

> 
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev