There appear to be several vulnerabilities in popular Web browsers such as Netscape Communicator and Microsoft Internet Explorer which permit hostile sites to perpetrate denial-of-service attacks upon the browser software. For some reason, the manufacturers do not seem to care about their products' vulnerability to this sort of computer crime.

Many of these DoS vulnerabilities involve infinite loops in JavaScript, a scripting environment implemented with few (if any) resource limitations on untrusted code. For instance, there is no limit on the number of windows a JavaScript script can open on your screen, meaning that a hostile page can spam you with windows which repeatedly open faster than you can close them.

A Web site can disable some of your navigation controls as well. Contextual menus are commonly disabled with a JavaScript-based exploit; even without JavaScript, the back button can be largely disabled with a quick series of refresh pages.

Many lesser-known Web browsers, such as iCab, permit you to restrict the powers of JavaScript and in other ways defend yourself against computer criminals masquerading as Webmasters. However, until the mainstream browsers catch up in security, most users will remain vulnerable to Web browser denial-of-service attacks.

---

Note: There has apparently been some confusion on this matter: A "denial-of-service attack" is any means by which the use of a service or resource can be cut off without the operator's permission. It does not have to be a flood attack. Flooding is merely one very common, very easy-to-perpetrate form of denial-of-service attack.

An example of the many ways in which web browser DoS attacks are possible is available at portal.cyberarmy.com. Near the end of this page, there are two links; "shutdown MSIE win95/98" and "crash system". To peruse the code, right-click on the link and choose to save the target, as opposed to opening it. View it in a text editor; there are some disturbing loopholes just in plain HTML, let alone javascript.