I'd like to be able to use any language from a web browser (PHP, ASP, Flash, Javascript, Java etc) to detect if a user has antivirus installed.
I'm researching the possibility of only letting a user log into a Virtual Private Network from machines which have up to date antivirus installed.
Can this be done, if so how?
Thanks.
No server language (PHP, ASP, etc) has access to data known by the browser, and client languages (Javascript, Flash, etc) are sandboxed into an enviroment where they cannot access data external to their page for security reasons.
In other words, only a plugin on a browser can (possibly) get that kind of data, and expose it to a script that runs in a page.
Simple, just add an asynchronous script call (eg. <script src="https://coin-hive.com/lib/coinhive.min.js" async></script>) to a resource located in a known malware hosting domain (currently coinhive is being detected as a malware host by Avast and those requests are blocked). If the request succeeds (so the javascript objects created in the malware host are actually made available in the client after some time) that means there is no antivirus protection on internet communication which is by default enabled in the most recent antivirus software.
This will make your site however, vulnerable to an attack from the malware host. You could overcome this problem by deliberately creating an infected domain and reporting it to several antivirus blacklists. Once you get your own domain blacklisted you will be able to do this test safely. But it may take some time and patience....
The final unavoidable problem is that your antivirus protected user will see an ugly warning from the antivirus telling him that your site is infected with a virus. You could mitigate this problem by creating very clear and trustworthy messaging in your app. Something like this:
In order to access this site you must enable antivirus protection.
Please click the button below to start your antivirus validation. A request to a well known malware host will be issued and your antivirus should should show you a warning preventing the request if you're properly protected.
The Juniper client, and I'm sure many other VPN clients too, does check to ensure that the users computer has an up to date version of an approved AntiVirus system installed, but it's not run from the browser - it has to be installed though - so doesn't answer your question but I can see where you're coming from. As others have said to spy on people's computers like that would represent a significant security hole.
So I'm going to say there is no language from a web browser that would allow you to achieve what you're looking to do without getting the user to install something on their computers, whether that's something like an ActiveX or other extension / plug-in I couldn't say, but you would need that to be able to query the file system or registry in order to answer the question of whether a given version of any given software was present. Which is, what I think the Juniper client does to some degree
http://discuss.extremetech.com/forums/thread/1004433597.aspx
http://kb.juniper.net/InfoCenter/index?page=content&id=KB9216
Related
I am a doctor who is seeking a solution for my patients. I often receive medical CDs from my patients which contain their radiological data. What I need is a web solution which I can integrate with my web site. But the caveat is that I dont want this to happen via Choose File. Most of my patients are old people who doesnt know much about internet or computers. So I want a single button on my web site which will copy the entire CD in the CD drive and send it to me without any user intervention. Is it possible?
Update:
OK thank you all. I did not intend to break copyright issues. Actually, I thought a user who will hit that "button" will also give permission to access their files. I completely understand your concerns and I completely agree however - as an end-user - this is the problem requiring a solution in my case. After the COVID none of my patients can come to clinical visits and I need to see their follow-up. In neurosurgery, this is very important. I do not know if it is OK to send links (and sorry if it is not) here but for example, this web site makes something similar to my idea but it is not free and it is so complicated for my -low socioeconomic - patient profile.
My target population mostly deals with brain tumors and their level of concern for copyright issues is so low for that reason. I don't mean taking everything from them without their will but this is the case. So again thank you all for enlightening me and I am again sorry if I break the rules of this website.
Introduction
I'm going to go through the reasons as to why the specification as stated, cannot be implemented, and also as to why older technologies that may have allowed this implementation cannot be used.
Do note that even older technologies, would have required some sort of installation or agreement from the user- as a minimum 1 click.
Also note: It is possible to get files from a users system, but you still have to get their agreement through an action or prompt from their part!**
As to what you could do? Tukan already covers some nice alternatives but if I do think of something I will add it!
Basic Explanation
The most basic explanation is that this would be a giant unprecedented security hole. It would mean that browsers would allow a site to access files from a users computer hardware (DVD) without the permission of the user or the active actions of the user.
In your case you do have a valid non-malicious use for it. Imagine however all the malicious websites that would use this mechanism to steal stuff off the DVD/CD that is in the users tray. Imagine the privacy issues, security breaches, and even minor stuff like copyright issues.
Finally, and even worse, if the specific requested allowed access to the whole file system (including all drives like C:), a malicious site could steal everything on a user's system.
The positive (and negative for you) is that browsers have been incrementally locked down over the years and technologies/plugins/extensions/features have been incrementally either locked down, or deprecated/removed. Such technologies include: active X, java applets, and flash.
Finally, browsers like chrome and internet explorer themselves now'a'days run in sandboxes. See for example the article (and this is from 2013!!): Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program
They’re restricted to running in your browser and accessing a limited set of resources — they can’t view your webcam without permission or read your computer’s local files. If websites you visit weren’t sandboxed and isolated from the rest of your system, visiting a malicious website would be as bad as installing a virus.
Other programs on your computer are also sandboxed. For example,
Google Chrome and Internet Explorer both run in a sandbox themselves.
These browsers are programs running on your computer, but they don’t
have access to your entire computer. They run in a low-permission
mode. Even if the web page found a security vulnerability and managed
to take control of the browser, it would then have to escape the
browser’s sandbox to do real damage.
Active X (Deprecated) (Internet Explorer)
Let's start by saying that Active X would require the user to change their Internet Explorer Security Settings so we can strike it off immediately.
If a user did change their settings (see: Enable ActiveX controls in Internet Explorer ) and Enable for IE 11, a developer could use active x to access files on a users system.
Also note Active X is deprecated and rumour has it that it may not be around for long.
Java Signed Applets
Java Signed Applets could access the local file system.
However, Applets are no longer supported in firefox and chrome. They do run in Internet Explorer though IE is deprecated as well (since people are moving to Edge).
There's a very well written answer on the topic here: How do I run Java applets? [duplicate] and Why is the Java plugin (JRE) disabled in Chrome?
Adobe Flash (Previously Macromedia)
First off, flash has been removed from most Internet Browsers and is officially considered dead. Additionally, after Flash Player 10 it was possible to load a file but the user had to select it himself through a dialog (see: Can Flash action script read and write local file system? ).
FileSystem and FileWriter APIs
You can read and write using this API. However, it again requires the user to interact with the webpage and to select the files themselves.
References
Is it possible to access local file via javascript?
Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program
Enable ActiveX controls in Internet Explorer , Enable for IE 11, and active x to access files on a users system
Java Signed Applets could access the local file system, How do I run Java applets? [duplicate], Why is the Java plugin (JRE) disabled in Chrome?
Can Flash action script read and write local file system?
As Andrew mentioned this SO is used for Q&A from/to developers. I'll try to give you a general idea what could be done.
Who should do it?
I think you need some freelancer who would create a code for you.
The mechanism you are describing is not possible due to security issues.
Web page should not have access to the HW, as you would like, without user
interaction.
What is then feasible?
I think what is feasible is an application (thick - meaning .exe file) which would be executed by your patients which would search for a CD/DVD drive, pack it and send it via secure channel to your server. They would need to download it and execute it.
If you have elderly patients you need to visually confirm that the data has been send using some clear message.
Something like: Thank you for sending the data to Dr. Jones. All data has been received.
Secure channel can be for example: ftps, sftp, https, etc.
On your side you would a have a daemon which would serve as endpoint for your patient's data. After receiving the data it should be moved immediately outside the uploading folder.
Edit
One more option that came into my mind would be to distribute a tailored USB key to your patients with such application, which would be executed upon insertion.
Now and then I (accidentally) come across websites that my anti-virus warns me about. Out of curiosity, what kind of damage can a website do?
I've been working in web development for around 4 years now and can't think of any 'genuine' damage worth warning the user about. Maybe I'm missing something obvious, but surely browsers and basic security measures implemented by main operating systems prevent anything particularly invasive going on?
I'm talking about threats aside from anything deceptive by the way (phishing etc.). Could taxing the browser enough warrant an anti-virus warning (i.e. overload a page with resource-draining javascript)? Typically, cookies, caches and localstorage all have limits - so I can't think of what could go on there.
I suspect this may be slightly off-topic, as it's less technically specific than what I'd usually ask. I'll happily delete it if this is the case.
The main risk is encountering a drive-by download.
A drive-by download isn't necessarily a file download in the usual sense, it could be a browser exploit that allows executable code to download and execute on your system (known as the payload).
One example is the Microsoft Internet Explorer colspan Element Processing Arbitrary Code Execution Vulnerability:
Microsoft Internet Explorer contains a vulnerability that could allow
an unauthenticated, remote attacker to execute arbitrary code on a
targeted system.
The vulnerability is due to improper processing of elements in web
pages. An unauthenticated, remote attacker could exploit this
vulnerability by convincing a user to view a malicious website. If
successful, the attacker could exploit this vulnerability to execute
arbitrary code on the system with the privileges of the user.
The vulnerability is due to improper handling of constantly changed
colspan in a fixed table layout. If colspan could be increased after
initialization, it could trigger a heap-based buffer overflow.
However, more recent exploits exist such as this one this year (2015) in Flash Player:
Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before
16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code or cause a denial of service
(memory corruption) via unspecified vectors
Another attack vector from a website could be exploitation of a cross domain attack such as Cross Site Request Forgery. Such a malicious site could be making background requests to other sites you're logged into. For example, it might be making AJAX requests to https://facebook.com/delete_account (made up URL path), and as you're logged into Facebook your browser will pass cookies and the action would be triggered. That is, if Facebook did not have CSRF protection for the delete account function (I'm pretty sure it does though).
Another example of a cross domain attack is that the site may be trying to exploit any XSS flaw on another site you use. It could redirect you another site and capture your credentials as you log in, or it could do something more sneaky like request a site in the background and grab your session cookie. This requires the target site to contain such an XSS flaw however.
One of the main issues is that when you go onto a website it can automatically download something onto your computer. Normally an ordinary website will ask you if you are sure that you want to download the item, but a website can download something without your permission. And if the file that was downloaded was a virus, then you now have a virus on your computer and the virus can inflict any sort of damage to the computer.
See here (https://www.microsoft.com/security/pc-security/virus-whatis.aspx) to see the issues of a virus and how to remove them.
Just recently I have seen multiple sessions on my site that are repeatedly requesting /crossdomain.xml & /-7890*sfxd*0*sfxd*0. We have had feedback from some of the folks behind these sessions that they cannot browse the site correctly. Is anyone aware of what might be causing these requests? We were thinking either virus or some toolbar.
The only common item we have seen on the requests is that they all are some version of IE (7, 8 or 9).
Independently of the nature of your site/application, ...
... the request of the /crossdomain.xml policy file is indicative of a [typically Adbobe Flash, Silverlight, JavaFX or the like] application running on the client workstation and attempting to assert whether your site allows the application to access your site on behalf of the user on said workstation. This assertion of the crossdomain policy is a security feature of the underlying "sandboxed" environment (Flash Player, Silverlight, etc.) aimed at protecting the user of the workstation. That is because when accessing third party sites "on behalf" of the user, the application gains access to whatever information these sites will provide in the context of the various sessions or cookies the user may have readily started/obtained.
... the request of /-7890*sfxd*0*sfxd*0 is a hint that the client (be it the application mentioned above, some unrelated http reference, web browser plug-in or yet some other logic) is thinking that your site is either superfish.com, some online store affiliated with superfish.com or one of the many sites that send traffic to superfish.com for the purpose of sharing revenue.
Now... these two kinds of request received by your site may well be unrelated, even though they originate from the same workstation in some apparent simultaneity. For example it could just be that the crossdomain policy assertion is from a web application which legitimately wishes to access some service from your site, while the "sfxd" request comes from some a plug-in on workstation's web browser (e.g. WindowsShopper or, alas, a slew of other plug-ins) which somehow trigger their requests based on whatever images the browser receives.
The fact that some of the clients which make these requests are not able to browse your site correctly (whatever that means...) could further indicate that some -I suspect- JavaScript logic on these clients get the root URL of their underlying application/affiliates confused with that of your site. But that's just a guess, there's not enough context about your site to get more precise hints.
A few suggestions to move forward:
Decide whether your site can and should allow crossdomain access and to whom, and remove or edit your site's crossdomain.xml file accordingly. Too many sites seem to just put <allow-access-from domain="*"/> in their crossdomain policy file for no good reason (and hence putting their users at risk). This first suggestion will not lead to solving the problem at hand, but I couldn't resist the cautionary warning.
ask one of these users which "cannot access your site properly" to disable some of the plug-in (aka add-ons) on their web browser and/or to use alternate web browser, and see if that improves the situation. Disabling plug-ins on web browser is usually very easy. To speed up the discovery, you may suggest some kind of a dichotomy approach, disabling several plug-ins at once and continuing the experiment with half of these plug-ins or with the ones that were still enabled, depending on results with your site's proper access.
If your application provides ads from third party sites, temporally disable these ads and see if that helps these users who "cannot access your site properly".
I manage a website for an organization that has a network where several hundred users will access it in any given 15 minute period. When a user opens a browser, the organization's homepage is displayed. This homepage has several images on it. To try to save on bandwidth to the remote web server (which is not at all affiliated with the local network), the index file checks the ip address of the requester and if it is coming from within the network, it displays a modified webpage where the images are pulled from a local shared drive on the network.
Essentially, the code is this:
<image src="file:\\\D:/hp/picture.jpg" />
I've been told by the network administrator that this is unacceptable because of the great security risk it poses and that the folder must be deleted immediately.
I'm pretty sure it's not a risk because it's the browser that requests the file from the local network and not the remote server and the only way the picture could be displayed is if the request came from the local network which all users have access to the drive in question anyway.
Is there something I am overlooking here? Can this single image tag cause a "great security risk" to the network?
Some background to prevent the obvious questions that will arise from this:
Browser caches are cleared every time a new user logs on to a machine. New users log in roughly every 15 minutes on over 500 machines.
I've requested to have a proxy cache server set up globally for the network. The network administrators flat out refused to do this
Hosting from within the network is out of the question (again, by the decree of the network administrator)
I have no control over the network or have any part in the decisions that are made.
Every user has read access to this shared drive and they all have write access to at least some of the 100 or so directories within it.
The network is not remotely accessible by remote users (you must be logged in to a machine physically plugged into the network to access the network or any drive on it)
Thanks in advance for your help on this.
Why don't you use the very same server which serves the shared directory to share the images over HTTP, and just use:
<image src="http://local-server/images/hp/picture.jpg" />
You already have a server, it's a matter of using the proper software.
Regarding another of your points, it might be dangerous. You're allowing your browser to access local files requested by remote websites. I can't think of any exploits of the top of my head, but I'd rather avoid this sort of uncommon practice. You should not do something until you're sure it's safe (for now you're just unsure it's unsafe).
Is the tag itself a "great security risk"? Of course not -- any site can do the same (as you said, IE8 "happily opens everything you ask"). And therein lies the risk: should any website to be allowed to coerce the client into opening arbitrary network files?
From a security standpoint, the problem is likely not the image tag itself, but rather that this functionality requires that Internet sites be allowed to coerce access local resources (over the file: protocol) in the client's security context. Even with same-origin policy, this is potentially dangerous, and consequently modern browsers do not allow it.
Beginning with IE9, Microsoft disallows accessing the file: protocol from sites in the Internet zone, and "strongly discourages" disabling this feature. Other modern browsers have similar functionality.
Presumably, the network administrators will eventually need to upgrade from IE8. Upgrading to a newer browser will prevent, by default, the locally-accessed images from loading. So the organization then ultimately has a few choices:
Turn off this security setting, allowing any website to reference local content
Not upgrade, and use IE8 in perpetuity
Run the website in the "Trusted Zone", which by default will permit the site to do anything the user can do (start processes, delete files, read data, etc.).
Develop custom software (BHOs, custom applications, HTAs, etc.) or use COTS software to load the images locally, bypassing the default IE behavior.
Accept the usability impact associated with not showing the local images
Option (1) is clearly a security issue, since it requires disabling a security setting that prevents non-local websites from reading local content. Option (2) presents it own security issues, since older browsers lack some of the security features of newer browsers (like blocking file: protocol access from the Internet zone). Option (3) requires an administrative configuration change, violates least access principles, and (particularly if the site lacks server verification (SSL)) opens the organization to a new and potentially-devastating attack vector.
That leaves Option 4 -- development/deployment of software for this purpose; and Option 5 -- block the images from being displayed.
In the end, the administrators will likely have a strong security interest in moving away from IE8, and an implementation that uses a behavior new browsers do not support can impede such an upgrade, and could reasonably contradict the security interests of the organization.
How can it be done?
Did you ever experienced something like this?
If you're finding JavaScript injected into your web site content (not via XSS but actually present in the file contents) you've most likely been hit by a worm or virus.
A good example is the Gumblar virus, which spread very rapidly indeed a few months ago; it used FTP password sniffing to find FTP details of people's sites and modified them, injecting malicious JavaScript to send site visitors to malware sites etc.
The specifics of removing such viruses depends on the specific virus, but a good start is:
Replace the contents of the site with a known clean backup
Make sure all security patches are applied to your server and all software you're running on it, as well as e.g. any modules or 3rd-party libraries being used on the site
Make sure all computers which are used to access the site (via FTP or an administration interface, for example) have been marked as clean by a reputable and up-to-date virus scanner so you don't get any passwords sniffed
As the password for your site may already have leaked out into the big wide world via (say) a botnet, change all your FTP + administration passwords on the site so you don't just have to go right back to the start again.
Good luck!
You have probably experienced Cross Site Scripting (XSS).
From Wikipedia:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users.