I found out about OpenWebRTC and was wondering if there was a way to implement it in the suckless surf browser.
Does anyone know if this is possible and how I would go about it?
I wouldn't use OpenWebRTC, development has stopped and you will probably hit bugs. WebRTC has had some pretty big changes since development has stopped (PlanB -> Unified Plan) and mDNS candidates.
GStreamer itself now has webrtcbin. There are also WebRTC implementations (webrtc.org, aiortc, pion) that can do media!
I would build the WebRTC integration out of process. You could write some IPC and let a 'WebRTC implementation' talk over a socket and exchange SDPs back and forth. I don't know surf's code that well to know how possible that is though.
Related
I have not, but shall DAST* security test, out of curiosity, an IoT device; Nodemcu esp8266 www server I built. It's showing a HTML page (on a mobile phone for example) that allows to control and interact with a camera module and a A/C relay. With it I can for example show images captured in the camera I even think it has some image recognition built in, and I can switch on and off a relay for electrical current to a light bulb (110/220v A/C power)
Before I start pentest I though I better start thinking of what types of exploits one would be able to find and detect? Which sinister exploits I will be able to find, or rather ought be able to find given a proper pentest exercise? (And if I do not find exploits, my approach to the pentest of the Iot might be wrong)
I ponder it might be a totally pointless exercise since the esp8266 www server (or rather its LUA programming libraries) might not have any security built into it, so basically it is "open doors" and everything with it is unsafe ?
The test report might just conclude what I can foresee be that the the "user input needs to be sanitized"?
Anyone have any idea what such pentest of a generic IoT device generally reports?
Maybe it is possible to crash or reset the IoT device? Buffer overruns, XXS, call own code ?
I might use ZAP or Burpsuite or similar DAST security test tool.
I could of course SAST test it instead, or too, but I think it will be hard to find a static code analyzer for the NodeMCU libraries and NUA scripting language easily ? I found some references here though: https://ieeexplore.ieee.org/abstract/document/8227299 but it seems to be a long read.
So if someone just have a short answer what to expect in a DAST scan/pentest , it would be much appreciated.
Stay safe and secure out there !
Zombieboy
I do my vulnerability scanning with OpenVAS (I assume this is what you mean by pentesting?). I am not aware of any IOT focused Tools.
If your server is running on esp8266, i would imagine that there is no much room for authentication and encryption of http traffic, but correct me if i am wrong).
Vulnerability Scan results might show things like unencrypted http traffic, credentials transmitted in cleartext (if you have any credentials fields in the pages served by the web server) etc. Depending on if there is encryption, you might also see weak encryption findings.
You might get some false positives on your lua webserver reacting like other known webservers when exploits are applied. I have seen this kind of false positive specially on DoS vulnerabilities when a vulnerability scan is testing a vulnerability and the server becomes unresponsive. Depending on how invasive your vulnerability scanner is, you might get a lot of false positives for DoS on such a constrained platform.
I am just wondering how rabbit is able to give each user a diffent broswer to use from a linux machine it seems like vnc tech but I dont know please let me know if you know how they are able to do that.
There is a somewhat detailed blog post about what their architecture was here: https://bloggeek.me/rabbit-webrtc-interview/
I will quote the relevant part for longevity:
We have two main stacks, one for audio/video and one for our business
logic:
Our audio/video stack is built in Java on top of Netty:
Our SFU allows us to use WebRTC with much larger groups than the
normal use case. For our shared viewing feature (called Rabbitcast™),
we had to build a native extension to capture and delivery an HD
stream with audio from our virtual machines. Both of them use our own
WebRTC server stack to talk to the clients. Our Business Logic stack
is built on top of Node.js using a promise-based approach to keep our
sanity.
Lastly we use Redis both for intelligent caching and pub/sub. MongoDB
is our persistent storage.
I am not sure about what exactly they are using but I have some ideas how it works yeah as you already said they are using virtual machines that ported to a html5 vnc client to control and stream video and audio. Other options might be using xpra,x2go,apache guacamole to port them into a html5 client again.
If I had an open source emulator for C64, Mame, Spectrum and the like, would it be possible to hack away at the code and merge it with some kind of Game Center functionality, achieving online multiplayer in the emulator?
I'm not asking for the code or anything, I just had an image of booting up an emulator, a Game Center window saying it's looking for players, then starting a 2-player game. Is that feasible, or is just not possible to integrate an emulator with GC like that?
You could make one computer host the game by running the emulator. It would stream the video+audio to the remote computer, and receive keyboard+joystick events from it. Hacking this up would be far from a trivial task, but not colossal either. I don't think there's any useful "Game Center" software that would do this for you - you'd have to code it up yourself.
If the video streaming is a bottleneck, you could perhaps stream the emulated machine's state changes instead. This is much more ambitious in terms of the amount of coding needed, but it would probably solve any throughput problems.
Practical playability would suffer from network lag. Over the internet, you would probably be limited to turn-based games. In a local network, it might work well for action games too - it's all too hypothetical to really tell.
Apple won't allow you to publish an emulator on iOS. It requires downloading and executing code to run a particular game, which is forbidden.
First I would like to thank you (Stuart in special) for this amazing framework MvvmCross.
I have an application case that involves socket connectivity, and I would like to go with PCL for Android, WP7 and iOs.
Unfortunately, the PCL subset doesn't support sockets usage as is (I think NCL is supported only for Microsoft different frameworks).
I thought may be MvvmCross Plugin is the way to go, but still needs plugin implementation for each platform (I mean ...plugin.Droid, ..plugin.WP7 etc..) while it should be the same code at the end.
What do yo suggest?
Thanks
I thought may be MvvmCross Plugin is the way to go
Yes, this is exactly the sort of situation that Plugins were designed for.
I'd certainly implement this as a socket plugin:
The PCL part of the plugin would provided a socket interface, although it might also perhaps include some shared base class 'buffer copy' type functionality in the shared code too.
The platform specific socket implementations which handle raw socket connection and IO.
It's likely that these platform plugin additions would use quite a lot of file linking between several of the platform implementations - I'd expect there to be a lot of code that would have to be shared this way.
I think a sockets plugin will be quite a common requirement - so if you were to tackle this via open source, then you might find some willing contributors ... or, if you were to go closed source, then you might find some customers.
While no-one has open-sourced an IP network socket implementation at this stage, the Sphero project did include a Bluetooth socket example - albeit one that wasn't entirely network efficient in the way it communicated.
This Bluetooth socket code is open sourced within Ms-PL at https://github.com/slodge/BallControl/tree/master/Cirrious.Sphero.WorkBench/Plugins/Sphero
This Sphero plugin doesn't expose a PCL Sphero-Socket level API - instead at the plugin level it chooses to expose a Sphero-Robot level API.
With the benefit of hindsight (a wonderful thing), if I implemented this again then I'd implement:
a bluetooth serial port plugin exposing bluetooth scanning, connecting and socket streaming
an additional PCL library which consumed the plugin to drive the robot - this perhaps might be called a plugin but would not have any non-PCL code within it.
Somebody know about possibility to establish in different threads of J2ME Midlet 2-3 parallel HTTP connections. I's looks possible but works unstable. Maybe somebody have more information about topic.
It is certainly worth a try and I believe this will work on some good phones but this is typically something that the JSR-118 Test Conformance Kit doesn't test for (as far as I can remember) so it could very possibly fail on some phones too.