CraSSh

I don't want to read any of this techie talk. Just crash my browser already.

What is CraSSh

CraSSh is a cross-browser purely declarative DoS relying on poor nested CSS var() and calc() handling in modern browsers.

CraSSh affects all major browsers on desktop and mobile platforms:

IE is not affected as it does not support the features CraSSh relies on but its users already have their fair share of pain.

How it works

The idea behind CraSSh is to force the browser to evaluate a CSS-property using exponential time and memory with nested CSS variable calls.

This relies on 3 CSS features:

CSS variables(custom properties and var())

They allow to declare-assign and read variables:

Variables do not allow recursion(although, there was a bug in WebKit that caused infinite recursion) or loops but they may be defined as

calc() expressions

calc() expressions provide the ability to do some basic arithmetics for describing rules like 'width: calc(50% - 10px)'.

calc() allows referencing variables and using multiple values in a single expression:

This gives an option to

This may look, like it would be computed in exponential time, but modern browsers are a bit smarter than that, so they compute the variable values once most of the time, reducing evaluation complexity to linear. The trick is that variable value caching doesn't happen if it's a

Mixed-unit value

Technically, it's a part of calc(), but it deserves a separate mention. Mixed-unit variable i.e. a variable containing both absolute and relative units can't be

So, it's reevaluated on every access

Regarding the second point, most browsers just inline nested mixed-unit variables into a single expression to avoid rounding errors:

When the expression has millions(or billions) of elements... Well, it's not the best idea to say the least. CSS engine tries to allocate a few gigabytes of RAM, reduce the expression, add event handlers, so the properties could be recomputed when something changes. Eventually, it does on some of these steps.

So, original CraSSh looked like this

and there's also sub-1k inline version(used in MediaWiki showcase):

How can this be exploited

Aside from venting users from browsing your own website or a blog on a platform that gives full access to HTML like Tumblr(example, crashes the browser) or LiveJournal(example, crashes the browser), CraSSh allows

Why did you do that

More stuff like this

Currently, I'm participating in an amazing project that is going public later this(2018-11) month. Follow me on twitter for updates.

Special thanks

kasthack, 2018