edbrowse-dev - development list for edbrowse
 help / color / mirror / Atom feed
From: Karl Dahlke <eklhad@comcast.net>
To: edbrowse-dev@edbrowse.org
Subject: [edbrowse-dev] sharing and security
Date: Sun, 21 Mar 2021 17:34:21 -0400	[thread overview]
Message-ID: <20210221173421.eklhad@comcast.net> (raw)

[-- Attachment #1: Type: text/plain, Size: 3319 bytes --]

This is just me thinking out loud.

Let's say we share the Table class in the master window mw$.
I don't have to replicate it and its methods for every web page.
Saves time and memory etc. All good.

There's an addRow method, which of course, adds a row to the table.
I wrote it, and web pages can use it.
Let's say your bank uses it to dynamically add a row to a table.
An evil web developer can write a phishing page that looks harmless, maybe just information about kangaroos.
It replaces my addRow with its own addRow function.
	mw$.Table.prototype.addRow = evil_addRow();
It starts with this(object) and works up through parentNode until it gets to document.
Then it looks at document.location to see if it is juicy.
Maybe a banking site.
It traverses the tree looking for a login form.
If it's really lucky, and it can try this again and again without you knowing it, it might find the login form.
Using xhr, it sends login and password back to a server in China somewhere.
Even more valuable is your routing and account numbers, which are probably somewhere on the page.
Whence the dude in China can withdraw money from your account by ACH.
After all that snooping, it calls the original addRow, my addRow, so it does what it did before and doesn't look any different.
You don't notice a thing.

Ok, I defend against that by making the addRow method not writable, not deletable.
Remember the second part cause they could remove mine and then replace it with theirs.
I can do that in javascript and it's not reversible. All good.

But, addRow lives in the Table.prototype object.
What if they remove the entire prototype object and replace it with theirs,
with all the methods I use to have, some of theirs boobytrapped.
So I make prototype not writable and not deletable.

The original class Table has to be not writable and not deletable, or they could replace the entire Table class in mw$ with their own.

Let's say I've done all that.
If I make one mistake of omission, if I forget one method in the DOM,
let's say I forgot deleteRow.
evil.com notices that I forgot that.
They install their own deleteRow in mw$.Table.prototype.
This method does all the hijacking, then deletes the row consistent with my framework.
It does what I should have done.
Remember they can read my open source and know exactly how all this works.
Well I can't guard against that.
In every operating system you can make a directory readonly, but nothing like that in javascript.
If the prototype object exists, and you can see it, you can add something to it.
Maybe you can't change what's there, but you can add to it.
So we would have to be 100% perfect, with a function or at least a stub for every method that exists,
and we would have to stay current with this as the DOM evolves,
cause if we don't, a shared class opens up a security risk.

That's how it looks to me anyways.

Do you follow what I'm saying?

No wonder every browser writes all its classes in C, thus shared at a level that can't be hijacked;
but of course we don't have the manpower to do that.
And if we did, we are, at that point, heavily invested in an engine;
I couldn't just switch engines in a couple weeks as I just did with quick.

That's my discouraging thought for the day.

Karl Dahlke

             reply	other threads:[~2021-03-21 21:34 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-21 21:34 Karl Dahlke [this message]
2021-03-23  7:39 ` Adam Thompson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210221173421.eklhad@comcast.net \
    --to=eklhad@comcast.net \
    --cc=edbrowse-dev@edbrowse.org \
    --subject='Re: [edbrowse-dev] sharing and security' \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).