Run command on client computer from a browser - browser

I was wondering if it was possible, using some client side scripting language, to run a command on a client computer from a remote web server. For example, what could I do to make a web page that returns information about the client's local ip address, currently running processes, and other info by running some command on their machine and then collecting and printing that data? Also, I only intend to use this on clients running Windows. Thanks in advance for any help!

The amount of information you can collect from client computers is deliberately limited in the name of privacy. If you wanted to accomplish your goals, you would have to have the user consent to giving you this information. For example, you could ask them to install and run a small program on their machine, not limited by what the browser can do or see, and use that to collect and return information to you. The act of asking them to run this program/install a plugin would be the consent. For example, this is what NVidia does to scan your computer and determine which drivers you need on their website, as seen here: http://www.nvidia.com/Download/Scan.aspx?lang=en-us

I think Pwn2Own is over for this year. Even with that, I would hope not.

I think that's called hacking. Browser makers go to great length to prevent this kind of activity because it poses a massive security risk to your users. There might be a way to do such a thing, but it's WRONG to try it.

Related

Execute user script node js (like CodingGame)

I'm currently building a CodingGame like platform for a school project and I wondered how I could handle user script validation.
The goal is to have multiple exercises to solve with an expected response.
For example, there's an error to correct in the exercise and when corrected it should output "hello".
I don't want users to actually do "console.log('hello')" in the IDE on the website if possible :)
The most difficult part is that i don't know how to do execute the actual script given (sent as text to the API).
I just want to start with NodeJS available for the user, no Php or C...
Save the script as localfile wouldn't be a good option I think, that's how we do it for now but I don't know how Coding test platforms actually do it.
The API is hosted on AWS EC2 Amazon Linux instances.
Thank you for your help :)
This is rather an elaborate business requirement and not simply a doubt, but some points that could help you to progress in your project further -
A program is only a program when it is understood by some other program as instruction. Otherwise there's no difference in program.js and program.txt
Validating and running a program are two different things
Running a program on your own system vs allowing anyone to run the same program in your system are entirely different situations in terms of everything. (This is where the web & it's virtues come to play)
There will always be some risk when letting others provide instructions to your systems, as no validation is 100% effective, even if you check for all destructive commands, there will always be more of them. But then again, you'll have to consider this while setting up a virtual machine for the sole purpose of public use. (Like, keeping in mind that this machine can be lost at any moment, so the architecture should be able to handle such losses, either by spinning up a new machine or having a set of replaceable machines for this.)
Isolation & sandboxing of execution is the key in these kind of requirements. So you can have a look at tools like Docker, which could be a bit complex to understand initially, but if it suites your needs then simplicity is just one complexity away.

Automatic machine to machine authentication best practice?

I'm trying to find the best idea/practice for my login protocol and I'd like to pick your brains.
I have one server and a few remote computers that are talking to the server using API (RESTful APIs if it matters) we'll call them "units".
Now I want the units to be able to authenticate to the server and start reporting some data.
Last thing is I want the process to be somewhat automatic, somewhat meaning there will be a one time setup when the unit is installed and from there and on the authentication will be automatic without requiring human interference.
My main security concern is I don't want anyone to be able to report data as one of the units, so I want the unit's identifier to be only known to the unit and the server.
What would be to best way to do something like this? I'm not sure my question is clear enough so please ask me to elaborate on anything I've missed.
P.S.
All the backend/server code is in NodeJS.

secure data transfer between chrome extension and native messaging host [duplicate]

I have a NPAPI plugin for sign-in data on website.
I want to replace it by Native Messaging technology. I have read the documentation, but I have a question : Is this technology safe?
Can hackers catch data in transfer from JavaScript to native host app and back?
Edit: merging in a better-worded question:
How secure is stdio data transfer ?
Is there a way for man-in-middle attack for such data transfer ?
It is, in principle, possible to inspect stdio calls made by an executable.
For instance, on Linux systems, you can use strace for that purpose. I don't know a similar Windows tool, but it's conceivable that it exists.
That would be akin to attaching a debugger to the browser/native host itself, and can only be done by someone who has access to the local machine with the same user credentials or administrative access. In particular, the user running Chrome can do it - just like he/she can use Dev Tools to inspect and intercept the data at the JavaScript side.
So, yes, in principle that can be intercepted, but only by someone will full rights to execute/debug code on the system it's running on, and OS takes care not to allow normal users to inspect processes of other users in this way.
You realize, of course, that Native Messaging will ONLY work within the bounds of the machine: With native messaging the browser will communicate with your host application over stdin/stdout.
So what exactly is the problem here? If the Hackers are capable of listening to your stdin/stdout they are already on your machine - you've already lost.
Not really, sometimes hackers can find XSS in vulnerable site, then it may be possible to use Native Messaging to execute command on Victim system

Validating client binaries in client/server handshake

I am building a client-side program that connects to a server. This client-side program needs to have the source code available to the users as part of the licencing (not an option). However, I need to ensure that when a user connects to the server with that client-side program, it's running with the original code and hasn't been altered and re-compiled.
Is there any way to check during connection to the server that they're using an unaltered version of the program?
No, there's really no way to do that.
You're basically encountering the "Trusted Client" problem. The client code runs on the user's PC, and the user has full control over that PC. He can change the bytes of the program on disk, or even in memory. If you were to try to perform a hash or checksum against the code, he could simply change the code that did that verification and make it return "unmodified".
You could try to make things a little harder on a malicious user but there's no practical way to achieve what you're hoping.
What you have described is a issue that the video game industry has been fighting for the last decade and a half. In short, how to prevent the user from modifying the client (in their case, generally to prevent cheating, though also for copyright reasons). If that effort has taught us anything, it's that preventing modifications to the client is a constant arms race that you will never decisively win. In light of that, don't even try.
Follow the standard client-server assumption that the client is in the hands of the enemy and cannot be trusted. Build your server side defensively based on that assumption and you'll be alright.
It's very very difficult and probably not worth it. But if you are interested in pursuing it you'd have to develop something that has been code signed and monitored by the Windows kernal.
A couple topics that will orient you to the scope of the problem:
Protected media path
Driver signing
Both media devices and device drivers are digitally signed by the manufacturer and continuously monitored by Windows. If anything goes out of whack, it gets shut down (that'ts the technical term). Seems very daunting. And I don't know if the technology is available for desktop software that isn't a device driver and isn't related to DRM.
Good luck!

How can I browse an XSS infected Joomla website for rebuilding purposes without being infected?

Both the web files and the database have been tampered pointing to malicious JavaScript. They have tasked me to rebuild their site, but I would like to be able to view the site if possible to get at the content and view the site as they had a lot of pages. Since I didn’t originally build the site I don’t know the structure of the content.
I don’t have to repair the site; I just need to rebuild it with the CMS of my choice. I don’t know anything about the Joomla database, or know if I can even get access to it to be able to start there.
I originally thought using a virtual machine would be OK for this, but I wasn’t sure if I would be risking my host machine as well using this method. I would of course turn off JavaScript but I was hoping someone else may have been already been down this road and might be able to offer some insight.
Couldn't you just FTP to their host, pull it off and get it working on a machine with no connection?
If you were really paranoid. I don't think an XSS infected site would do too much damage to a properly protected machine anyway.
My paranoid answer:
It's a great idea to turn off Javascript. I would get an extension like Noscript for Firefox or Notscript for Chrome. I use these Noscript regularly, and it makes it easy to see what Javascript is coming from where.
Secondly, your idea with a VM is good, but take it a step further and run Linux in that VM. Linux can be infected, but it is rare to see something that will infect Linux.
Regular expressions and HTML parsers can also be your friends. Script something that can scan files looking for things like script tags and especially iframes. That way you can get an idea of files that have been corrupted and what is calling to where.
One other less likely gotcha is malicious executables or scripts disguised as something innocent like a JPEG, PDFs, etc. If you download and open files off of that machine, make sure it is at least onto your VM with no network connectivity.
Get server logs if you can; perhaps your assailant was sloppy and let some clue about their activities. Perhaps run Wireshark on a second machine to look for things calling out to strange domains. This may be excessive, but I find it to be a fun exercise. :)
Also things like Virustotal and Threat Expert can be your friends if you think you have a malicious file or you see malicious activity. Better to be paranoid than compromised.
Cleaning this type of stuff up isn't exactly rocket science. You just need to get a connection to the backing database server and run a couple queries to kill the xss stuff out of the stored content.
You'd do your client a great service by starting off doing just that.
The VM idea is a good one. krs1 suggests running Linux which is an even better idea as almost all trojans that get downloaded are for Windows. If you run Wireshark while you use the site so you can see what the network traffic looks like and what URLs are being requested, etc. If you run it in a Linux VM though you'll probably only get half the picture since any exploit worth the oxygen it took to keep the programmer alive while it was written will check what platform you're on and only download when you're on an exploitable one.
But I digress, you're rebuilding a website, not doing malware analysis (which is more fun IMO). Once you identify and remove the offending content you should be good. See if you can find out what the exploit was that got them and work with their IT guy if they have one so steps can be taken to mitigate it from happening again.

Resources