I have a solution that I believe makes use of cross site scripting. Since I control the the code in the target of the cross site scripting, I am thinking this might be an acceptable solution.
Does this solution expose my client or my client's problem to a cross site scripting risk that needs to be, or should be avoided?
Details
A client needs to provide one of its partners with " HTML to put OUR page on their site." In this case, our page is at this link:
Source Link: http://booknook.biz/bk_promos/WBC_Exclusive
The partner is operating another domain, http://hollylisle.com/, where they want to run that page.
Copying the page source from the source link above into a file save as html appears to produce a file that runs on any webserver, such as this test at this link:
http://launchpad-001.com/formForHollyLisle/bn_landingPage.html
The answer is the solution does not expose my client to cross site scripting risk. The primary reason is the solution does not have any cross site scripting in it. As explained by Kevin B, the web page has references to external assets. I mistook that for cross site scripting. Linking to external assets is not a security risk, since I am controlling the external assets.
Related
Is my understanding of Intranet = essentially password-protected admin website, with credentials only for registered employees, wrong??
I'm confronted with a task where a client wants to have an intranet with really basic functions (file uploads + file storage on the server is the most "complicated stuff"). I've never developed a so-called intranet so far, and the client already has a website.
What I was actually thinking was just adding an "Intranet" or so link to the existing website, which points to a password - protected subsystem / subdomain, or even a single additional page of the existing site, which in turn represents the intranet.
Ready to go, I consulted some tutorials, blogs and guides about intranets, and wondered why they all speak about you NEEDING an intranet software, like Microsoft SharePoint or whatever. Isn't an intranet developed with these essentially the same as a password-protected administration website? Or am I lacking something here? Of course, softwares come with advantages and ready-to-use stuff, but I've developed quite some login systems for now and feel that it is much easier to develop an intranet with very basic features only as elaborated above on my own, instead of choosing + learning the ideal software. In my opinion, developing one on my own would especially make future edits + adaptations much more convenient..?
I want to let my users post articles on my website but i have serious concerns about ckeditor security.
What i want to ask is:
Can users upload any kind of codes that can put my site at risk through ckeditor?
Is there any way to limit users of those kind of actions?
About my application:
I'm using laravel 5.6 and ckeditor last version.
Please share your thoughts and experiences.
CKEditor is not insecure on purpose. No sense in developing an insecure product (except for educational purposes). It doesn't allow uploading executable content (as a feature). However, it does have a history of publicly exploited vulnerabilities, mostly due to it's handling of wide variety of user input that will be stored in user accessible locations/paths.
Nonetheless, you can still mitigate it's risks substantially if you simply restrict the paths which allow web app execution (php, asp, etc...).
PHP example:
Create an .htaccess file in the dir where ckeditor places it's user generated/uploaded data. Inside that file place the following:
php_flag engine off
There are additional methods to achieve this, which depend on your specific environment. But the main idea remains - block execution abilities in the target dir for user content/uploads, and watch out for security updates for all your components.
One last note - the best practice to avoid users uploading executable content would be to store in a non-web-exposed location. I would even advise outside of the web served root dir. This also would help to prevent a big portion of path traversal vulnerabilities. But specifically for CKEditor type of plugin it makes the solution much more complicated, since that content needs to be accessed by web users (by design!).
I'm currently developing a Chrome extension and planning to publish it on Chrome market. I'm aware of open-source community benefits, however, do not want to share the source code and a bit worried about copyrights. Currently, the plan is to minify and obfuscate the source code before publishing. So the questions is:
Does Chrome Market accept extensions with minified and/or obfuscated source code?
Thanks in advance! :)
Any existing answers above have been rendered obsolete by the terms change on January 1st, 2019. This change was announced on October 1st, 2018.
In summary:
Google Allows minified code.
Google disallows obfuscated code.
The specific policy, available at https://developer.chrome.com/webstore/program_policies, is as follows:
Developers must not obfuscate code or conceal functionality of their
extension. This also applies to any external code or resource fetched
by the extension package. Minification is allowed, including the
following forms:
Removal of whitespace, newlines, code comments, and block delimiters
Shortening of variable and function names
Collapsing files together
2019 Update:
Google allows minified code, but not obfuscated one. See Brian's answer
Original answer:
Yes, you can use obfuscation tools (like jscrambler) before publishing your extension. I don't know if that may delay the publishing time, but I know for sure that are some published Chrome extensions with obfuscated/minified source code.
I, for instance, minify the code of my extension (LBTimer) with Google's Closure before publishing it.
It looks like they don't approve minified and obfuscated code. You can check thread on the Chromium Google Group, from April '16.
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/1Jsoo9BPWuM
No, you cann't. This is email I received from Google Chrome Team: All
of the files and code are included in the item’s package.
All code inside the package is human readable (no obfuscated or minified code).
Avoid requesting or executing remotely hosted code (including by referencing remote javascript files or executing code obtained by XHR requests).
You can get a more specific answer if you contact the Google Chrome team.
Update with own experience:
I wasn't able to submit a build obfuscated with this javascript-obfuscator (more specifically, gulp version in my case) They were complaining about "your code is suspicious" so I guess something triggered an alert in their system.
However uglyfy worked for that - I still had to figure out a way to rename all the prototype functions as uglify doesn't seem to do that (or at least I wasn't able to find a way to do that)
Original answer:
To sum up, it seems like chrome extensions are allowed to be minified and obfuscated.
For more details, keep reading.
First of all, there are two different terms - chrome extension and chrome app and different rules applies based on that. Chrome app has more strict requirements and it seems like mcastilloy2k's answer is suitable for chrome app (at least it looks like it is based on the available policies for both).
And regarding the below google's answer:
Avoid requesting or executing remotely hosted code (including by
referencing remote javascript files or executing code obtained by XHR
requests).
If it's for chrome extension and not for chrome app that seems strange as per the extension FAQ from google which explicitly states that extension is allowed to make external requests to execute custom API aka 'remotely hosted code':
Capabilities
Can extensions make cross-domain Ajax requests?
Yes. Extensions can make cross-domain requests. See this page for more
information.
Can extensions use 3rd party web services?
Yes. Extensions are capable of making cross-domain Ajax requests, so
they can call remote APIs directly. APIs that provide data in JSON
format are particularly easy to use.
Can extensions use OAuth?
Yes, there are extensions that use OAuth to access remote data APIs.
Most developers find it convenient to use a JavaScript OAuth library
in order to simplify the process of signing OAuth requests.
Another discussion in this google groups thread shows that rejection might not be connected with obfuscation at all:
Eventually, these are the things I needed to do to get my extension
passed (but I keep my fingers crossed in case some other validation
test still has to be performed):
I created a privacy policy and added a link to it on the Google Chrome developer dashboard.
I explained in more detail what my extension is doing. It seems that Google needs this to have a better understanding of the extension.
In the description I explicitly stated how the extension handles personal or sensitive user data.
Eventually that was enough to get the extension
pass the checks even with minified & obfuscated code (but remember I
keep my fingers crossed).
Moreover one can always go and check existing extensions out there, like Grammarly for example, who has obfuscated code (to some extent at least) and who uses external API.
what language should be used to make a website or a webpage which will combine with the browser or the add-ons installed in the browser or the website can even takeover control of the browser ? Is there any language ?
I do not see the language as a factor in your question. Browsers use well-defined interfaces. Software that interacts with a browser can be written in any language as long as it supports those interfaces.
Beyond that, you would need to better define what is meant by "combine with the browser". Having websites "takeover control" of the browser is a dangerous thing and, in general terms, is not allowed.
However, there are plug ins that can be downloaded and installed and will work with the browser. Again, you need to be much more specific about the task you are talking about.
Without more information its tough to answer this.
For code that runs on the browser look at javascript or better yet JQuery which allows a lot more functionality and handles a lot of the cross browser problems for you.
If you're looking to get further integration going then you're going to have to take a different route for each browser. Firefox allows you to develop add-ons to add functionality to the browser, as does chrome. For IE you'll have to look at ActiveX
However for anything more than simple javascript you're going to have to get your users to allow your site to install whatever addons you use. Most users, myself included, wouldn't allow your site to install additional content on their browsers unless they really trusted the site and there was a strong functional incentive to use the code.
I'm building a system to control where my company's ads are placed. Amongst our concerns are potentially malicious code on the target page. Is there any library / database / system that can detect this content and is either open source or free?
~downer
In this case, you could look at Google's Safe Browsing API:
Single search:
http://www.google.com/safebrowsing/diagnostic?site=www.example.com
Signup for API key:
http://code.google.com/apis/safebrowsing/key_signup.html
From what I understand, you just want to make sure that your company's ad does not appear on the pages that are serving malware/spyware.
As mentioned earlier, google api can be used for querying Safebrowsing database. Also, if the marketing company who is going to be running your campaign can provide you the the list of target pages, you can additionally use McAfee Site advisor. Two checks are better than one.
Site Advisor: http://www.siteadvisor.com/websecurity/index.html