I'm looking for an open source headless browser to run on a FreeBSD shared Web server, which can do reasonably accurate rendering of current HTML/CSS/JS.
As I'm not very skillfull with Unix/servers and don't have root access, this should have no dependencies that would not be installed on a typical Apache shared Web hosting server (ruling out Java and HtmlUnit I believe), and should ideally even be pre-compiled for FreeBSD.
I guess I need a command-line and/or PHP-accessible interface (I'm not too clear on how any of that will work).
Please respond to this question if:
you're already familiar with this new trend in Web dev of rendering things server-side with headless browsers (e.g. page previews, Google-friendly AJAX indexing, etc.)
and you have some software to recommend for my needs
Thanks
I like lynx, it's a bit limited but unbelievably fast.
Maybe http://phantomjs.org/ is worth to have a look at.
Another way is to remote control the real browser using for example
http://www.seleniumhq.org/
Related
Can my system get infected with something by visiting a website using phantomJS? I don't know/trust the website I'm visiting. And if so, how to prevent it/avoid damage?
It is not technically impossible.
PhantomJS uses WebKit as its web browser engine (the same as Safari and many other browsers including earlier versions of Chrome), and it can be compiled against any version of WebKit. This means WebKit is used for parsing and internally rendering a web page.
If the version of WebKit that your version of PhantomJS uses is vulnerable, so will be PhantomJS. If there is something like a buffer overflow or similar remote code execution in WebKit, that can probably also be exploited in PhantomJS too, potentially resulting in a malicious website being able to run code on your computer. These types of flaws (with severity similar to an exploitable remote code execution) are not very frequent, but they happen sometimes. Note that all other, lower risk vulnerabilities of WebKit also affect any version of PhantomJS that is compiled with the vulnerable version of WebKit. What makes this more relevant is that WebKit is used by many projects, so finding and exploiting WebKit vulnerabilities may be worthwhile for an attacker.
PhantomJS itself may also be vulnerable, but the real dangerous thing is parsing the code written by somebody else when visiting the website, and that's done by WebKit. Exploiting flaws in other supporting code in PhantomJS via a visited website would I think be more difficult. Not saying that it's impossible, but the likelihood would I think be low.
As for how to prevent this... The most important thing would be to use a version of PhantomJS that is compiled against a very recent version of WebKit. If there is no known vulnerability for either the WebKit version or the PhantomJS version, you're kind of good to go (but there can always be zero-days of course).
If you are really worried, you could run PhantomJS in isolation. You could set up something similar to a chrooted environment, or an entire dedicated virtual machine. In the latter case the attacker would have to compromise the hypervisor in a completely separate attack, which is probably not impossible, but can be hard, and is very different from any flaw exploited in PhantomJS.
Of course it also depends on what you want to protect against. If you are worried about a compromise of the client running PhantomJS, running it in isolation might be adequate for your scenario. If PhantomJS is part of a larger application and you are worried about the attacker being able to access data in that particular application, you obviously cannot run PhantomJS in isolation from the actual application with the data, so a VM would then not help.
So the bottom line is, yes, it can happen, but it's not very likely, and what countermeasures you need depends on a few things including the risk (what you can lose), and your threat model (what you want to protect against).
I have a NPAPI plugin for sign-in data on website.
I want to replace it by Native Messaging technology. I have read the documentation, but I have a question : Is this technology safe?
Can hackers catch data in transfer from JavaScript to native host app and back?
Edit: merging in a better-worded question:
How secure is stdio data transfer ?
Is there a way for man-in-middle attack for such data transfer ?
It is, in principle, possible to inspect stdio calls made by an executable.
For instance, on Linux systems, you can use strace for that purpose. I don't know a similar Windows tool, but it's conceivable that it exists.
That would be akin to attaching a debugger to the browser/native host itself, and can only be done by someone who has access to the local machine with the same user credentials or administrative access. In particular, the user running Chrome can do it - just like he/she can use Dev Tools to inspect and intercept the data at the JavaScript side.
So, yes, in principle that can be intercepted, but only by someone will full rights to execute/debug code on the system it's running on, and OS takes care not to allow normal users to inspect processes of other users in this way.
You realize, of course, that Native Messaging will ONLY work within the bounds of the machine: With native messaging the browser will communicate with your host application over stdin/stdout.
So what exactly is the problem here? If the Hackers are capable of listening to your stdin/stdout they are already on your machine - you've already lost.
Not really, sometimes hackers can find XSS in vulnerable site, then it may be possible to use Native Messaging to execute command on Victim system
I know that lastpass extension have a binary component to communicate passwords between browsers (to firefox and IE). What mechanisms can be utilized by chrome extension to communicate with other system processes?
Apparently there's a Native Messaging API coming soon.
Source
Chromium Commit
Youtube Video example
If you need to communicate with the system, then you have basically two options:
You can embed an NPAPI plugin, which, generally, is discouraged when not absolutely necessary (and even then :) ).
Your system process can run a web server with a well-defined API that your extension talks to. This ends up being message-passing writ large, but has the potential of being much more secure, since the processes can be independently sandboxed. WebSockets are pretty useful for this sort of thing, but a lot can be accomplished with simple HTTP requests to 127.0.0.1 via XHR.
Okay, here's a complicated one I've been breaking my head over all week.
I'm creating a self service system, which allows people to identify themselves by barcode or by smartcard, and then perform an arbitrary action. I run a Tomcat application container locally on each machine to serve up the pages and connect to external resources that are required. It also allows me to serve webpages which I then can use to display content on the screen.
I chose HTML as a display technology because it gives a lot of freedom as to how things could look. The program also involves a lot of Javascript to interact with the customer and hardware (through a RESTful API). I picked Javascript because it's a natural complement to HTML and is supported by all modern browsers.
Currently this system is being tested at a number of sites, and everything seems to work okay. I'm running it in Chrome's kiosk mode. Which serves me well, but there are a number of downsides. Here is where the problems start. ;-)
First of all I am petrified that Chrome's auto-update will eventually break my Javascript code. Secondly, I run a small Chrome plugin to read smartcard numbers, and every time the workstation is shutdown incorrectly Chrome's user profile becomes corrupted and the extension needs to be set up again. I could easily fix the first issue by turning off auto-update but it complicates my installation procedure.
Actually, having to install any browser complicates my installation procedure.
I did consider using internet explorer because it's basically everywhere, but with the three dominant versions out there I'm not sure if it's a good approach. My Javascript is quite complex and making it work on older versions will be a pain. Not even mentioning having to write an ActiveX component for my smartcards.
This is why I set out to make a small browser wrapper that runs in full screen, and can read smartcard numbers. This also has downsides. I use Qt: Qt's QtWebkit weighs a hefty 10MB, and it adds another number of dependencies to my application.
It really feels like I have to pick from three options that all have downsides. It really is something I should have investigated before I wrote the entire program. I guess it is a lesson learnt well.
On to the questions:
Is there a pain free way out of this situation? (probably not)
Is there a browser I can depend on without adding tens of megabytes to my project?
Is there another alternative you could suggest?
If you do not see another way out, which option would you pick?
As far as I know, only PHP can't be used for this.
But since not many providers allow installation of Perl/Python/... scripts on shared, I'm wondering whether there is free solution for either
creation of thumbnails or full-size capturing on the fly / on demand and save it to server (since snapshot lets you only to show thumbnails on hover) - service
or
Flex/Flash solution to capture website and PHP to save it (or save it right with flex/flash) - code to run on server
Is it possible?
To capture how a website looks like, you first need somebody to render it.
Because you are usually optimizing a web site to run on the major browsers, you will want one of them to handle the rendering.
This (opening a browser instance, opening a certain web page, rendering it and dumping a screen shot of the results) is possible - it's how services like browsershots.org work.
It's just not trivial to set up, and requires total freedom in setting up the server (i.e. administrator privileges to install programs, set rights, etc.). It definitely is not possible to do with pure PHP, Perl, Python, or any other scripting language, on a restricted shared hosting environment.
If you're on Windows, the answer to this question may be of help.
For a list of snap shot services, see this question.