secure data transfer between chrome extension and native messaging host [duplicate] - google-chrome-extension

I have a NPAPI plugin for sign-in data on website.
I want to replace it by Native Messaging technology. I have read the documentation, but I have a question : Is this technology safe?
Can hackers catch data in transfer from JavaScript to native host app and back?
Edit: merging in a better-worded question:
How secure is stdio data transfer ?
Is there a way for man-in-middle attack for such data transfer ?

It is, in principle, possible to inspect stdio calls made by an executable.
For instance, on Linux systems, you can use strace for that purpose. I don't know a similar Windows tool, but it's conceivable that it exists.
That would be akin to attaching a debugger to the browser/native host itself, and can only be done by someone who has access to the local machine with the same user credentials or administrative access. In particular, the user running Chrome can do it - just like he/she can use Dev Tools to inspect and intercept the data at the JavaScript side.
So, yes, in principle that can be intercepted, but only by someone will full rights to execute/debug code on the system it's running on, and OS takes care not to allow normal users to inspect processes of other users in this way.

You realize, of course, that Native Messaging will ONLY work within the bounds of the machine: With native messaging the browser will communicate with your host application over stdin/stdout.
So what exactly is the problem here? If the Hackers are capable of listening to your stdin/stdout they are already on your machine - you've already lost.

Not really, sometimes hackers can find XSS in vulnerable site, then it may be possible to use Native Messaging to execute command on Victim system

Related

Disable Networking in Electron

electron.js is a user interface toolkit that allows a web application to operate as an arbitrary GUI.
However, there are some applications that should be considered sensitive - for instance, a GUI for banking should have strong assurances that it's not doing anything mischievous.
I'm wondering if the electron executable (or node.js itself) would allow operation in a mode where networking is outright disabled - that way, as a consumer, I can at least be confident a user interface isn't sending my password off-site.
Something like ./node_modules/.bin/electron --no-networking index.js would be very convenient, albeit a far cry.
I haven't tried whether it works or not.
The following lines simulate the offline mode in chromium.
// To emulate a network outage.
window.webContents.session.enableNetworkEmulation({ offline: true });

Remote Attestation for Windows

I am building a distributed application in which the software is installed by my company on our customer's hardware. The customer can therefore tamper with the software. I would like to know if a technique exists so that when the software running on customer hardware make a web request to our central server (i.e. totally under our control), that we can validate that the request is coming from an untampered version of our software.
I believe that this is referred to as "remote attestation." Web searches about remote attestation return a variety of results, from "it is not possible" to "use the TPM". But I have not been able to find a simple to understand example of how to code this in Windows.
So, my question is: Is remote attestation possible in Windows, and if so, is there a working example that I can use as the basis for implementation?
Note: Remote attestation is sometimes achieved through "obscuration" techniques such as embedding a "shared secret" into the application and then obscuring it in various ways to try and ensure that an attacker cannot easily extract that shared secret through de-compiling etc. I am not interested in such techniques and am looking for something that provides real security not security through obscurity.
In order to attestate a system you need 2 things:
A chain of trust from a root of trust up to every executed code and
Means to interpret and verify the obtained measurements on your server.
When using Windows you have neither.
Currently not even Windows itself is aware of its sate. However, that improved in Windows 8. Now you have measurements of the boot loader and drivers at least. But nothing that extends to user code.

How native process can communicate to chrome extension (lastpass do this)

I know that lastpass extension have a binary component to communicate passwords between browsers (to firefox and IE). What mechanisms can be utilized by chrome extension to communicate with other system processes?
Apparently there's a Native Messaging API coming soon.
Source
Chromium Commit
Youtube Video example
If you need to communicate with the system, then you have basically two options:
You can embed an NPAPI plugin, which, generally, is discouraged when not absolutely necessary (and even then :) ).
Your system process can run a web server with a well-defined API that your extension talks to. This ends up being message-passing writ large, but has the potential of being much more secure, since the processes can be independently sandboxed. WebSockets are pretty useful for this sort of thing, but a lot can be accomplished with simple HTTP requests to 127.0.0.1 via XHR.

Run command on client computer from a browser

I was wondering if it was possible, using some client side scripting language, to run a command on a client computer from a remote web server. For example, what could I do to make a web page that returns information about the client's local ip address, currently running processes, and other info by running some command on their machine and then collecting and printing that data? Also, I only intend to use this on clients running Windows. Thanks in advance for any help!
The amount of information you can collect from client computers is deliberately limited in the name of privacy. If you wanted to accomplish your goals, you would have to have the user consent to giving you this information. For example, you could ask them to install and run a small program on their machine, not limited by what the browser can do or see, and use that to collect and return information to you. The act of asking them to run this program/install a plugin would be the consent. For example, this is what NVidia does to scan your computer and determine which drivers you need on their website, as seen here: http://www.nvidia.com/Download/Scan.aspx?lang=en-us
I think Pwn2Own is over for this year. Even with that, I would hope not.
I think that's called hacking. Browser makers go to great length to prevent this kind of activity because it poses a massive security risk to your users. There might be a way to do such a thing, but it's WRONG to try it.

HP LoadRunner question - content checking: web apps only

I know there some experienced loadRunner users around so I would like to ask (as I was not able to find the answer on my own): Is the content checking available only for webpages? I mean, I cannot check for content in win32 apps, right? Thank you!
If you are asking about using the web_reg_save_param function, then, yes, it is limited to web applications.
Generally, functions with a "web" prefix are unique to web applications.
web_reg_save is web protocol-only, yes.
Depending on the protocol you use, you surely have a way to do a context verification. For example, when you are using terminal emulator, you can check for specific strings in specific display areas. Or, when using Citrix, you can wait for specific bitmaps to appear in certain areas. Or, with RMI, you can inspect whatever you want in the replies you receive.
Inspecting a Win32 app's screen, however, might be painful. LoadRunner tries to "sniff" at the protocol level, so usually you'd have some traffic to emulate on the sockets level, for example. You could still find the app's window handle and fetch some content from it using Windows API calls. LR will not assist you in doing so, though, except for with DLL support.

Resources