Browser Limits

Connection Pool

October 1, 2020
Abuse Connection Pool, Browser Limits
Category Attack
Defenses Fetch Metadata, SameSite Cookies

Another way to measure the network timing of a request consists of abusing the socket pool of a browser 1. Browsers use sockets to communicate with servers. As the operating system and the hardware it runs on have limited resources, browsers have to impose a limit. To exploit the existence of this limit, attackers can: Check what the limit of the browser is, for example 256 global sockets. Block \(255\) sockets for a long period of time by performing \(255\) requests to different hosts that simply hang the connection Use the \(256^{th}\) socket by performing a request to the target page. ...