The websites I've seen (and was referencing in the Gist) basically do this. But it's a very simple anti-debugger technique that uses an IIFE containing a `while` loop with a `debugger;` statement in every iteration. You can circumvent it by opening DevTools on another website and toggling it to "skip all breakpoints."
I'm sure there are more advanced anti-debugger techniques with different denial-of-service vectors. And I'm sure that the attack surface for actual exploits (beyond just DOS) is also greater than browsing a website without DevTools open. But it's not like browser vendors grant super-permissions to websites when the user has DevTools open; any exploit would depend on a high severity vulnerability.
I do agree that it's probably smart to browse sketchy websites in an isolated browser, and ideally one inside a VM.
out-of-ideas|1 year ago
chatmasta|1 year ago
I'm sure there are more advanced anti-debugger techniques with different denial-of-service vectors. And I'm sure that the attack surface for actual exploits (beyond just DOS) is also greater than browsing a website without DevTools open. But it's not like browser vendors grant super-permissions to websites when the user has DevTools open; any exploit would depend on a high severity vulnerability.
I do agree that it's probably smart to browse sketchy websites in an isolated browser, and ideally one inside a VM.