CraSSh is a cross-browser purely declarative DoS relying on poor nested CSS
calc() handling in modern browsers.
CraSSh affects all major browsers on desktop and mobile platforms:
IE is not affected as it does not support the features CraSSh relies on but its users already have their fair share of pain.
The idea behind CraSSh is to force the browser to evaluate a CSS-property using exponential time and memory with nested CSS variable calls.
This relies on 3 CSS features:
They allow to declare-assign and read variables:
Variables do not allow recursion(although, there was a bug in WebKit that caused infinite recursion) or loops but they may be defined as
calc() expressions provide the ability to do some basic arithmetics for describing rules like
'width: calc(50% - 10px)'.
calc() allows referencing variables and using multiple values in a single expression:
This gives an option to
linearly increase number of calculations in every
calc() expression by adding references to previously defined variables
exponentially on every variable declaration with a
calc() expression referencing another computed variables:
This may look, like it would be computed in exponential time, but modern browsers are a bit smarter than that, so they compute the variable values once most of the time, reducing evaluation complexity to linear. The trick is that variable value caching doesn't happen if it's a
Technically, it's a part of
calc(), but it deserves a separate mention. Mixed-unit variable i.e. a variable containing both absolute and relative units can't be
So, it's reevaluated on every access
Regarding the second point, most browsers just inline nested mixed-unit variables into a single expression to avoid rounding errors:
When the expression has millions(or billions) of elements... Well, it's not the best idea to say the least. CSS engine tries to allocate a few gigabytes of RAM, reduce the expression, add event handlers, so the properties could be recomputed when something changes. Eventually, it does on some of these steps.
So, original CraSSh looked like this
and there's also sub-1k inline version(used in MediaWiki showcase):
Aside from venting users from browsing your own website or a blog on a platform that gives full access to HTML like Tumblr(example, crashes the browser) or LiveJournal(example, crashes the browser), CraSSh allows
Breaking the UI on controlled pages on customizable websites that allow users to specify custom CSS but don't give the access to HTML templates. I've managed to break MyAnimeList(example, crashes the browser). Reddit is not affected because their parser doesn't support CSS variables.
Breaking the UI on pages with public write access that allow some HTML tags with inline styles. Wikipedia(
example, crashes the browser they've banned the account for vandalism, even though I've placed it on the personal page) and most MediaWiki-based projects are affected. Basically, one can break the page and it wouldn't be reparable through UI.
Crashing email clients with HTML emails
It's quite complicated since mail clients strip/minify HTML and generally don't support modern CSS features which CraSSh relies on
CraSSh works in
CraSSh doesn't work in
Should work in
Haven't tested others.
I just came up with a sick idea, that CraSSh can be used against CEF / PhantomJS based bots. The attacked website could embed CraSSh code with headers(like this) instead of just showing plain 403. IIRC, errors are handled differently in embedded engines, so
Remember that post by Linus?
It looks like the IT security world has hit a new low.
If you work in security, and think you have some morals, I think you might want to add the tag-line
"No, really, I'm not a whore. Pinky promise"
to your business card. Because I thought the whole industry was corrupt before, but it's getting ridiculous.
At what point will security people admit they have an attention-whoring problem?
I went even further, and now you are reading a whole f*cking website dedicated to a simple bug because the joy of working till 4 am and attention to the achieved results are some of the few things that prevent me from surrendering to depression and diving head first into that nice sidewalk in front of the office.
Also, I hate front end development that I have to do as a part of my full stack job and doing stuff like this helps to relax a bit. If your company is looking for .net wageslaves, send them my linkedin profile. This might get you a hiring bonus and make my existence a bit less miserable.
Currently, I'm participating in an amazing project that is going public later this(
2018-11) month. Follow me on twitter for updates.