Androsh7

$ cat docs/dos-attacks.md

1. Reflected Cross-Site Scripting (XSS) DoS Attacks

Reflected XSS occurs when unvalidated user input (e.g., from an upload form or a rich-text editor) is immediately reflected back to the user’s browser without sanitization. Beyond stealing cookies or hijacking sessions, attackers can inject resource-exhausting payloads such as infinite loops, heavy DOM manipulations, or memory leaks that cause the browser or even the host system to crash.

Defense:

• Always sanitize and encode user input before rendering in HTML.
• Apply a strict Content Security Policy (CSP) to prevent arbitrary script execution.
• Users can mitigate impact by browsing with resource restriction features (e.g., Opera’s memory limits) and avoiding untrusted sites.

2. IFrame Attacks

Attackers can abuse the <iframe> element to invisibly redirect victims to malicious websites. These can load phishing login pages, drive-by download sites, or malicious advertising networks. In a DoS context, iframes can recursively load multiple layers of content, consuming bandwidth and system resources until the browser hangs.

Defense:

• Use the X-Frame-Options or Content-Security-Policy: frame-ancestors headers to prevent framing of your site.
• Disable JavaScript in untrusted environments to reduce the chance of invisible redirections.
• Educate users on recognizing phishing pages before entering credentials.

3. JavaScript Event Bombs

Malicious actors can abuse event listeners such as onmousemove or onmouseover to trigger CPU-intensive operations whenever the victim interacts with the page. Even small actions, like moving the mouse, can cause the browser to lock up.

Defense:

• Modern browsers implement throttling and crash recovery; keep them updated.
• Web developers should limit event binding to prevent accidental resource exhaustion.
• Users can employ script-blocking plugins like NoScript or uBlock Origin.

4. Infinite Redirect Loops

Attackers can craft malicious pages that endlessly redirect between multiple URLs. This can consume bandwidth, fill browser history, and effectively prevent the victim from leaving the loop without forcibly closing the browser.

Defense:

• Browsers often warn about excessive redirects — always heed these alerts.
• Administrators can configure web servers to detect and block looping redirects.
• Users can disable JavaScript or network access temporarily if trapped.

5. HTML5 API Misuse (Storage & Web Workers)

Newer browser APIs like Web Workers and localStorage can be abused to consume client resources. Attackers may spawn thousands of background workers or fill up localStorage, causing system slowdown or crashing the browser.

Defense:

• Limit browser storage quotas and clear localStorage frequently.
• Browsers should enforce sensible caps on Web Worker threads per origin.
• Users should avoid executing untrusted code or demos outside sandboxed environments.