search
HomeWeb Front-endJS TutorialDetailed explanation of DoS attack analysis and defense of 12 lines of JS code

There is a 12-line JavaScript code that can crash Firefox, Chrome, and Safari browsers, and can also cause iPhones to restart and Android to crash. The author of this article analyzed and interpreted these 12 lines of code. We also put forward corresponding defense methods, and everyone is welcome to discuss them together. Here is an article about these 12 lines of js code: How do these 12 lines of code make the browser explode?

Ajax and pjax

Ajax is "Asynchronous Javascript And XML" (Asynchronous JavaScript and XML), which is a technology used to create fast dynamic web pages. Ajax allows web pages to be updated asynchronously by exchanging a small amount of data with the server in the background. This means that parts of a web page can be updated without reloading the entire web page.

However, Ajax applications can also cause other problems, which can easily cause the browser to be unable to move forward and backward. This is a very troublesome problem, and developers must increase their workload (such as through a hidden iframe, or changing the location .hash value and other methods) to solve it.

In order to solve the problems caused by traditional Ajax, a new API was introduced in HTML5: history.pushState. After it is combined with Ajax, it has a new name called pjax. It is a new technology based on Ajax+history.pushState. This technology can change the content of the page without refreshing, and can change the URL of the page. pjax is an encapsulation of Ajax+pushState and supports multiple functions such as local storage and animation. Currently supports jquery, qwrap, kissy and other versions.

HTML5.history.pushState

HTML5 can operate the browser history through the pushState and replaceState interfaces, and change the URL of the current page.

pushState adds the specified URL to the browser history and stores the current history point. replaceState replaces the current URL with the specified URL. At the same time, these methods will work with the window.onpostate event.

history.pushState(data, title, url): Add a record to the top of the history stack; data will be passed as a parameter when the onpopstate event is triggered; title is the page title, which is generally ignored by all current browsers. This parameter; URL is the page address, optional, and the default is the current page address. Specific details:

state: The object is a JavaScript state object, an additional object that records historical points, and can be empty. It is related to the new history entity created by the pushState() method. Used to store information about the entry you want to insert into the history.

title: All browsers generally ignore this parameter, although it may be used in the future. The safest way to use it now is to pass an empty string to prevent future modifications, or you can pass a short title to represent the state.

URL: This parameter is used to pass the URL of the new history entity. The new URL must be in the same domain as the existing URL, otherwise pushState() will throw an exception. This parameter is optional. If left blank, it will be set to the current URL of the document.

Twelve lines of code analysis

The picture above is the twelve lines of code. The key point is the loop for the total URL: history.pushState(0,0,total); constantly Modifying the URL, looping it 1,000,000 times, and constantly adding new records to the history stack will cause high CPU and memory usage, crash Firefox, Chrome, and Safari browsers, and also cause the iPhone to restart.

Analysis results

Personally measured on an XP virtual machine (i7 single core 3.4G, 512 memory):

  • When the number of cycles above is ten When the level is above 10,000, the CPU and memory usage will be 100% instantly, and then crash and freeze;

  • When the number of cycles above is reduced to about 10,000, the CPU and memory usage will be about Gradually increased to 100% within 20 seconds, and then crashed;

  • When the number of cycles above was reduced to about 500, the CPU usage gradually increased to 100%, and then again It returned to a stable state instantly, and the memory usage increased from about 130M to about 230M. After opening the 192.168.56.106/12.html page, the link in the address bar also changed to: 192.168.56.106/0123456789101112131415161718192021...49449549649749 8499

It can be seen that while continuously adding records to the history record stack through the loop, the page will be refreshed to the new jump address, which is a "pseudo address" accumulated in the loop. When this length exceeds the limit, it will cause DOS. The effect and efficiency of the attack completely depend on the number of loops and the target's hardware configuration.

Relevant Defense

I believe that everyone’s security awareness is already very strong, but you still need to sound the alarm. Don’t trust any links, attachments, or emails sent to you by any stranger in any way. , pictures and other information, of course it does not rule out the pranks of good friends and bad friends, so friends, remember to Ctrl+S often, otherwise you will be very depressed if your computer crashes.

The Internet has been exposed to hacker attacks since its birth. Early hacker attacks were more or less for the purpose of technical experimentation and showing off. However, with the growth of the global Internet infrastructure, the unlimited growth of connections and the number of users, With the rapid expansion of the number, the frequency of hacker attacks has also increased accordingly. Hacker technology has also continued to develop, and a black industry chain for the purpose of illegally obtaining economic benefits has gradually emerged. The technical level of Internet security protection is advancing by leaps and bounds. Attack and defense are happening every minute and every second in this Internet era.

Of course, the Internet is full of information security threats. Network security protection depends on technology seven times and awareness three points. To protect against these problems, it is far from enough to rely solely on the products and services of security manufacturers. Network security The increase in awareness cannot be ignored.

For example: pay attention to the management of personal passwords, pay attention to the protection of personal privacy, do not easily access public wifi, do not easily trust links or files from strangers/familiar friends, etc., pay attention to the security of mobile payments, and do not let your device "Streaking" and so on.


The above is the detailed content of Detailed explanation of DoS attack analysis and defense of 12 lines of JS code. For more information, please follow other related articles on the PHP Chinese website!

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
JavaScript and the Web: Core Functionality and Use CasesJavaScript and the Web: Core Functionality and Use CasesApr 18, 2025 am 12:19 AM

The main uses of JavaScript in web development include client interaction, form verification and asynchronous communication. 1) Dynamic content update and user interaction through DOM operations; 2) Client verification is carried out before the user submits data to improve the user experience; 3) Refreshless communication with the server is achieved through AJAX technology.

Understanding the JavaScript Engine: Implementation DetailsUnderstanding the JavaScript Engine: Implementation DetailsApr 17, 2025 am 12:05 AM

Understanding how JavaScript engine works internally is important to developers because it helps write more efficient code and understand performance bottlenecks and optimization strategies. 1) The engine's workflow includes three stages: parsing, compiling and execution; 2) During the execution process, the engine will perform dynamic optimization, such as inline cache and hidden classes; 3) Best practices include avoiding global variables, optimizing loops, using const and lets, and avoiding excessive use of closures.

Python vs. JavaScript: The Learning Curve and Ease of UsePython vs. JavaScript: The Learning Curve and Ease of UseApr 16, 2025 am 12:12 AM

Python is more suitable for beginners, with a smooth learning curve and concise syntax; JavaScript is suitable for front-end development, with a steep learning curve and flexible syntax. 1. Python syntax is intuitive and suitable for data science and back-end development. 2. JavaScript is flexible and widely used in front-end and server-side programming.

Python vs. JavaScript: Community, Libraries, and ResourcesPython vs. JavaScript: Community, Libraries, and ResourcesApr 15, 2025 am 12:16 AM

Python and JavaScript have their own advantages and disadvantages in terms of community, libraries and resources. 1) The Python community is friendly and suitable for beginners, but the front-end development resources are not as rich as JavaScript. 2) Python is powerful in data science and machine learning libraries, while JavaScript is better in front-end development libraries and frameworks. 3) Both have rich learning resources, but Python is suitable for starting with official documents, while JavaScript is better with MDNWebDocs. The choice should be based on project needs and personal interests.

From C/C   to JavaScript: How It All WorksFrom C/C to JavaScript: How It All WorksApr 14, 2025 am 12:05 AM

The shift from C/C to JavaScript requires adapting to dynamic typing, garbage collection and asynchronous programming. 1) C/C is a statically typed language that requires manual memory management, while JavaScript is dynamically typed and garbage collection is automatically processed. 2) C/C needs to be compiled into machine code, while JavaScript is an interpreted language. 3) JavaScript introduces concepts such as closures, prototype chains and Promise, which enhances flexibility and asynchronous programming capabilities.

JavaScript Engines: Comparing ImplementationsJavaScript Engines: Comparing ImplementationsApr 13, 2025 am 12:05 AM

Different JavaScript engines have different effects when parsing and executing JavaScript code, because the implementation principles and optimization strategies of each engine differ. 1. Lexical analysis: convert source code into lexical unit. 2. Grammar analysis: Generate an abstract syntax tree. 3. Optimization and compilation: Generate machine code through the JIT compiler. 4. Execute: Run the machine code. V8 engine optimizes through instant compilation and hidden class, SpiderMonkey uses a type inference system, resulting in different performance performance on the same code.

Beyond the Browser: JavaScript in the Real WorldBeyond the Browser: JavaScript in the Real WorldApr 12, 2025 am 12:06 AM

JavaScript's applications in the real world include server-side programming, mobile application development and Internet of Things control: 1. Server-side programming is realized through Node.js, suitable for high concurrent request processing. 2. Mobile application development is carried out through ReactNative and supports cross-platform deployment. 3. Used for IoT device control through Johnny-Five library, suitable for hardware interaction.

Building a Multi-Tenant SaaS Application with Next.js (Backend Integration)Building a Multi-Tenant SaaS Application with Next.js (Backend Integration)Apr 11, 2025 am 08:23 AM

I built a functional multi-tenant SaaS application (an EdTech app) with your everyday tech tool and you can do the same. First, what’s a multi-tenant SaaS application? Multi-tenant SaaS applications let you serve multiple customers from a sing

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. Best Graphic Settings
1 months agoBy尊渡假赌尊渡假赌尊渡假赌
Will R.E.P.O. Have Crossplay?
1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

MinGW - Minimalist GNU for Windows

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor