search

kubuzetto / behind

behind! addon source code repository
https://addons.mozilla.org/en-US/firefox/addon/behind/
Mozilla Public License 2.0
90 stars 3 forks source link

DoS against sites possible by repeated requests when 404s are returned #22

Closed s1shed closed 2 years ago

s1shed commented 2 years ago

A popular retail site has an img tag like the following:

<img alt="Picture 2" sizes="(min-width: 1280px) 816px, (min-width: 1024px) 62vw, 100vw" srcset="https://site.tld/image/w=375,h=234,fit=scale-down,q=75,f=auto,sharpen=0.5/images/5/2_1-1440x712.jpeg 375w, https://site.tld/image/w=568,h=355,fit=scale-down,q=75,f=auto,sharpen=0.5/images/5/2_1-1440x712.jpeg 568w, https://site.tld/image/w=750,h=469,fit=scale-down,q=75,f=auto,sharpen=0.5/images/5/2_1-1440x712.jpeg 750w, https://site.tld/image/w=816,h=510,fit=scale-down,q=75,f=auto,sharpen=0.5/images/5/2_1-1440x712.jpeg 816w, https://site.tld/image/w=1125,h=703,fit=scale-down,q=75,f=auto,sharpen=0.5/images/5/2_1-1440x712.jpeg 1125w, https://site.tld/image/w=1632,h=1020,fit=scale-down,q=75,f=auto,sharpen=0.5/images/5/2_1-1440x712.jpeg 1632w, https://site.tld/image/w=2448,h=1530,fit=scale-down,q=75,f=auto,sharpen=0.5/images/5/2_1-1440x712.jpeg 2448w" loading="lazy" src="https://site.tld/image/w=375,h=234,fit=scale-down,q=75,f=auto,sharpen=0.5/images/5/2_1-1440x712.jpeg" width="375" height="234">

The Behind addon attempts to download images with names like w=2448, h=1020, etc. Additional examples below:

behind window

These requests receive a 404 response, which is to be expected from the srcset above.

404s shown in network tab

Unfortunately these requests are made repeatedly—and frequently—effectively leading to a DoS against the site. If this tab is left open for a few hours several gigabytes of traffic can easily be generated, unbeknownst to the addon user.

The requests are not logged to the browser history so this was discovered by looking in the Network tab of the developer tools while Behind was active on an affected site.

kubuzetto commented 2 years ago

Hi @s1shed, thank you very much for the bug report!

I prepared a fix that probably resolves this; but I cannot try it, given that I have no way of replicating the situation.

Would you be willing to test the PR on the same retail page, to see if it fixes the issue?

kubuzetto commented 2 years ago

Oh nevermind lol, I just stumbled upon that same bug! Tested it and it seems to work fine. Version 0.2.18 with the fix should be available in a few minutes.

kubuzetto commented 2 years ago

The new version is available for Firefox, and in review for Chrome. Closing the issue, thanks again!

elfshed commented 2 years ago

The new version is available for Firefox, and in review for Chrome. Closing the issue, thanks again!

Thanks for the quick fix! I verified with the site I saw this on.