(Oracles) Testing of DoS Attacks in Browsers

 


Summary

Denial of Service (DoS) is among the most common attacks to Internet servers. In one type of DoS attack, the attacker sends massive queries, leaving the server unable to deal with legitimate traffic. Mozilla FireFox appears to allow the user to send an unlimited-length string in its address bar, which is then transmitted to, and interpreted by, the server. In contrast, Internet Explorer limits address bar string length and thereby prevents such attacks.


Application Description

Mozilla's FireFox is an Internet browser available for Linux, MacOS, and Windows. At the time of writing this presentation, FireFox is pre-1.0 (a preview release for testing purposes).

Microsoft's Internet Explorer is the most widely used Internet browser. According to the W3's global usage ratings (June 2004) versions of Explorer comprise 72.8% of browsers in use.

Mozilla FireFox v0.9 Microsoft Internet Explorer v6.0.2900

Test Design

In Oracle-based testing, we compare the behavior of the program under test to the behavior of a source we consider accurate (an oracle).

One question that comes up when evaluating the security of an application is whether an apparent weakness is unreasonable or unacceptable. One way to answer this is by comparison of the product to a respected competitor.

In this line of tests, we are doing manual exploration of potential security flaws in FireFox and comparing anything suspicious to Internet Explorer.


Performing the Test

  1. Open Mozilla FireFox and Microsoft Internet Explorer.
  2. Navigate both browsers to a site like Yahoo! or Google:
    Mozilla FireFox v0.9 Microsoft Internet Explorer v6.0.2900

     

  3. Click the mouse cursor at the end of the address in the address bar of each browser.
  4. Press and hold the 'a' key on your keyboard to create a long string of characters. Similarly, you can also cut and paste a large amount of characters in from a word processor to save time:
    Mozilla FireFox v0.9 Microsoft Internet Explorer v6.0.2900

Results/Relevance

Mozilla FireFox v0.9 Microsoft Internet Explorer v6.0.2900

We entered about 10 million characters in FireFox after the "http://www.google.com/" before concluding that there was no apparent limit. Processing the request took a long time after we pressed 'Enter' but eventually the server responded that a malformed or illegal request had been made. In contrast, Internet Explorer accepted only 2050 characters, a much tighter constraint.

An attacker who gains control of many computers could put a server under much heavier load using very long queries with FireFox than with Explorer. This contrast suggests that FireFox is inadequately constrained.


Similar Tests/Additional Notes

For suggestions for quick security tests of FireFox, see Whittaker & Thompson's, How to Break Software Security. You can compare any result to results from Explorer. Of course, some of the security features of Explorer may not be adequate or reasonable, and others might make an inappropriate tradeoff of risk reduction versus utility. Explorer is a useful oracle, but not necessarily a perfect one.


Configuration Notes

Testing Mozilla's FireFox v0.9 on:


Created 1 July 2004 for the CSTER. Updated December 2004.

All images and written material ©Copyright Sam Oswald 2004

This work is licensed under the Creative Commons Attribution-ShareAlike License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/2.0/
or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305,
USA.