Web based DDoS

This first script loads a (possible) large file from a remote server using a GET request using AJAX over and over again, silently.

Works only in browsers not following the Same Origin Policy.

AJAXDoS.js

The second script creates a child element to the <html> tag on the site, the element exists of an <iframe> loading a (possible) large file from a remote server then removing the element over and over again. This is not done silently like in the first script because of the progressbar and status of the browser telling the user that it is loading. This way is much faster though!

iframeDoS.js

Update:

The third one is a bit trickier, it uses the Adobe Flash function loadMovieNum to create a GET request to the (possible (why am I repeating myself?)) large file. This is not silent either but it works in Chrome,Safari,Opera,IE and Firefox! A malicious minded person would have to upload the compiled flash to a remote server (or the server the users are on) and put it in an <element> tag. This also works regardless of the Same Origin Policy, although the wiki on it is rather fuzzy about whether the SOP is suppose to be secure agains Flash scripts or not.

Another interesting thing about this is that for some reason the flash loop gets really stuck in Firefox and even if the user browses away, it still runs the script until he closes the tab/window!

FlashDoS.fla

Update by Fredrik:

Not all of you have the time/performance/OS to download the Macromedia Flash MX editor in order to make fancy-action scripts like the one above.
And eventually i got bored yesterday, and coded this, to help you people out. It's easy to change it other languages (including script-languages).

By:   Fredrik Nordberg Almroth
URL:  http://h.ackack.net/
Note: Rough and dirty! Wont work on all scripts.
Haven't really looked into it, extend it if you wish.
=========================
> javascript:alert('Yo.')
< Added successfully.
# Alright, creating the SWF, 634080079022420469.swf
~ javascript:alert('Yo.')
# Done!
=========================

If a malicious minded person uses this method on site #1, he could make users (unknowingly) DDoS site #2 (a site of his choice) using the web browser as the DDoS client. This would require the person to have a persistant XSS hole on site #1.

The users are left not knowing that they are DoSing site #2 when they go about their business on site #1!

Sup, I'm Mathias and I was born 1991. It feels like I should really write something here.

1 Comment

  1. Tweets that mention Web based DDoS -- Topsy.com says:

    [...] This post was mentioned on Twitter by AckAck. AckAck said: Web based DDoS, updated ( http://cli.gs/aDWAV ): This first script loads a (pos... [...]

Leave a Comment