Web Development with sandboxing

Post Reply
User avatar
Reece.McCaskill
Site Admin
Posts: 22
Joined: Wed Sep 18, 2019 4:25 pm
Gender: Male
Location: United Kingdom
Favourite Topic: Networking
Contact:

Web Development with sandboxing

#1

Post by Reece.McCaskill »

This topic is not anything out of the ordinary... Today, there’s web development languages, such as PHP and ASPX which delivers web features, such as forums or Remote Desktop by using live code to access or manipulate code to deliver the services. Most of the time, this contend is “sandboxed” meaning the web browser prevents the code from opening files or folders locally on your own drive, without your permission. However, if there were malicious code to upload a file or folder targeted at a specific person or company, this could become a large issue.

Web browsers like chrome usually warn you of malicious code, but how can they warn you if they don’t know that file uploads could be malicious? How does the browser determine if you decided to upload a file, or if the code was injected to upload in the background without you knowing?

One work around is Chrome telling you the upload progress in the bottom left corner when a file is being uploaded, however on sites such as YouTube, this information is not present as the progress bar is on-screen. So, the question - if YouTube can make the upload message disappear from the bottom left corner when uploading files, what other sites can do this and how to we prevent this type of malicious code from uploading the contents of our drive?

First off, the attacker needs to know (and be certain) that a file exists in the path specified in the malicious code and on the contents of your drive. Secondly, they’d need to bypass the “select a file” pop up window (which is possible!)
Finally, they need to keep the user on the infected page, maybe display a video to the target?

In conclusion, the actual question is - are web browsers secure enough to defend against these attacks?
by James » Sun Oct 06, 2019 1:12 am
And the answer is... no :P

It's pretty good for guarding against relatively amateur attacks, unless the user is impaired enough to do dumb shi.. take mushrooms, that would compromise them readily. So the average user who is not doing fu.. dging stupid cra... bs is protected against low level crimes, but important or valuable targets are not fully shielded. If the pro's want to get you, they'll get you, unless you're insanely careful, but even then you'll probably mess up, so they'll just get you lol.

In any case now that everyone is paying for Alexa and her ilk to grace every space in their lives, we're all buggered anyway. I thought 1984 was a commonly read novel? That spying bi... scuit, is constantly eavesdropping -and it is constant, hence she can hear her name. Oh but wait I hear... the companies promised they wouldn't... they wouldn't... do what they did last time, and the time before, and the time before lol. Lets just trust the cu... ckoos, because ooooh look it talks and it's shiny lmap.

That could be another good topic in itself, along with the voice analysis patent filed for automatic dispatching of police to locations where digital assistants detect aggressive or frightened voices.
Go to full post
Reece.McCaskill
Access Remote Project Leader
Global Administrator
Image

This topic has 1 reply

You must be a registered member and logged in to view the replies in this topic.


Register Login
 
Post Reply