IssueTracker

---

Report description

Denial of Service (DoS) on Chrome via Large String Input in Text Field

---

Bug location

Where do you want to report your vulnerability?

Chrome VRP – Report security issues affecting the Chrome browser. See program rules

Which URL (or repository) have you found the vulnerability in?

vulnerability in the 'url' search field

---

The problem

Please describe the technical details of the vulnerability

Summary there is a DoS vulnerability in the search field or url provided by Google. so the vulnerability is that there is no limit on the number of characters, which allows the DoS attack to make the chrome browser not responding, causing lagging in chrome, and sometimes making the chrome tab CRASH or blank. previously I provided a table listing the possibility of this DoS attack succeeding. here are my test results

Test Result 10,000 characters = No effect, 50,000 characters = Slight lag, more 100,000 characters = Chrome crashes.

Impact analysis – Please briefly explain who can exploit the vulnerability, and what they gain when doing so

This attack has a situation:

1. the browser is not responding: the cause is because the user uses many extensions when pasting the payload [a](/a/a/a/a/a/a/a/a/a.....(50000 times)).

2. browser that causes lagging: this situation works when the user has several extensions or has no extensions, the cause of lagging is because of pasting the load [a](/a/a/a/a/a/a/a/a/a/a.....(50000 times)) which takes up a lot of memory.

3. lastly, chrome tab crashes or goes blank: the situation when entering a very long text string into the input field. This bug can be executed through web pages, which means it can be used for DoS attacks against Chrome users if they visit malicious sites containing this payload. (this attack depends on the attacker's script, may be more dangerous if followed up)

How to reproduce situations 1 and 2

1. copy the payload I provided. then paste it into the search in the top column.
2. this attack can be utilized by the attacker to annoy the user and cause the GPU to rise.
3. see my poc - not responding video

How to reproduce situation 3

1. prepare the script, I use the script

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body onload="document.getElementById('testInput').value = payload;">
    <input type="text" id="testInput" style="width: 500px;">
<script>
    let payload = "[a](" + "/a".repeat(500000) + ")";
    document.getElementById("testInput").value = payload;
</script>
</body>
</html>

2. then give it to the victim, then the victim's chrome tab will become blank.

3. Note that this attack sometimes happens sometimes not, I don't know the cause, but I found a way to reproduce it with 50% success. the method is :

• create multiple tabs
• then use some extensions
• paste payload.txt into the search field
• wait for chrome to become not responding
• open chrome again, then restore
• execute the script I provided, then try to block the letter.
• then all chrome tabs become blank
• see my poc - tab blank video

Supporting references: https://hackerone.com/reports/557154

Impact: Malicious websites can load this payload automatically, making user tabs freeze or crash without the need for manual interaction.

Chrome with many extensions is more vulnerable to this bug, exacerbating the impact of the crash.

---

The cause

What version of Chrome have you found the security issue in?

135.0.7049.42 (Official Build) (64-bit) (cohort: Stable)

Is the security issue related to a crash?

Yes, it is related to a crash.

Choose the type of vulnerability

Denial of Service (DoS)

How would you like to be publicly acknowledged for your report?

Arif Rahman Huzaifa | Neicyy