Bugtraq mailing list archives
Java/JavaScript DoS
From: ian () HARVESTROAD COM AU (Ian McKellar)
Date: Wed, 17 Sep 1997 14:17:29 +0800
--I+Z3u+9OQ7kwn0Nt Content-Type: text/plain; charset=us-ascii Hi, I was reading through my friendly `Webmaster in a Nutshell' O'Reilly book, and I came across a reference to the creation of Java objects from JavaScript i.e.: <SCRIPT LANG=JavaScript> var s=java.lang.System; s.out.println("this is a test"); // or even var r=new java.lang.String("this is a string"); </SCRIPT> This intreaged me, so my mind turned (as it does) to matters of security. One think you can't do with these dynamically created Java objects is make any outbound network connections, or successfully receive and incoming connections. One concerning thing you can do is: javascript:while(true) { (new java.awt.Frame("DoS!")).show(); } This will very quickly open lots of windows you can't close. I don't see these as serious issues, but something that we should be aware of. Ian -- Ian McKellar imckellar () harvestroad com au Web Author Phone: +61 8 9389 6200 Harvest Road Communications Fax: +61 8 9389 6201 Finger ian () harvestroad com au for my Public PGP Key Copyright (c) 1997 Ian McKellar, All Rights Reserved. Publication or distribution without the prior consent of the copyright holder is prohibited. --I+Z3u+9OQ7kwn0Nt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNB91+Oc73mdZIn3VAQHP/wP/f902JGK2uqTGKy1NhlQ/mkIT+UBZS8eF hKde4CE4302SJWx+9DGqN6Of6XUb6defNXp7MyorHAHcqWAooWtRPWOC8aRUxNKR Ejn6iw2r+bMKF/Z4zSQPCfmbxbcXWHtyIvEjDMnQ9yi3KG4udMwi9gMjneY3chKI 9fZhqNSB2TA= =2zdf -----END PGP SIGNATURE----- --I+Z3u+9OQ7kwn0Nt--
Current thread:
- CERT Advisory CA-97.23 - rdist Aleph One (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Theo de Raadt (Sep 16)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Java/JavaScript DoS Ian McKellar (Sep 16)
- Re: Fake ps detection program (system V and /proc enabled David Luyer (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Perry E. Metzger (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Alex (Sep 16)
- [IPD] Internet Probe Droid balif (Sep 16)
- Re: [IPD] Internet Probe Droid Keith A. Watson (Sep 18)
- Instresting practises of Oracle [Oracle Webserver] hurtta+zz () OZONE FMI FI (Sep 18)
- Redir games with ARP and ICMP Yuri Volobuev (Sep 19)
- Re: Redir games with ARP and ICMP Alan Cox (Sep 19)
- Re: Redir games with ARP and ICMP Ulrich Flegel (Sep 20)
- Blind Spoofing System Crasher (Sep 20)
- Fake ps detection program (system V and /proc enabled machines) Duncan Simpson (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Theo de Raadt (Sep 16)