Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

QML Security



  • Hey guys,
    I have a pet project. I want to create a qml web browser. It works like this:

    1. Browser makes a request (HTTP) to a remote web server to load qml file.
    2. Browser makes a request (HTTP) to a remote web server to load data.
    3. Browser displays the qml file and the data.

    I've created a test project and it's working. So my question is how can I secure my browser?
    I've come across this article and it says

    Do not, for example, use import, Loader or XMLHttpRequest to load any untrusted code or content

    So far I see the only one problem XMLHttpRequest can display local files

    var xhr = new XMLHttpRequest;
    xhr.open("GET", "mydir/myfile.txt");
    xhr.onreadystatechange = function() {
        if (xhr.readyState == XMLHttpRequest.DONE) {
            var response = xhr.responseText;
            // use file contents as required
        }
    };
    xhr.send();
    

    I don't see other vulnerabilities. Will restricting XMLHttpRequest be enough?
    As far as i know you can't run system commands without c++ backend.
    What do you think?
    Thanks.


  • Moderators

    @pohius said in QML Security:

    I don't see other vulnerabilities

    • If you're using plain HTTP, others can read the data as it travels through the network. Use HTTPS instead!
    • Someone can intercept your traffic and send modified QML data to you (man in the middle attack, or they could break into the remote server and replace the QML files)

    Results of such attack could be huge. Since QML can contain JavaScript code, it means the attacker could do practically anything with your computer once they have the ability to modify the QML files which are received by your browser. They can read files, write files from your disk, for example. This is a very serious security risk.

    So, for sure use HTTPS. Perhaps, as an additional measure, you could encrypt the data using OpenSSL on your server, then inside your app you could verify that data using public key. But, if somebody gains access to your server, they could break that, too. Well, I don't know, I'm not a security expert :-)



  • First thing I definitely will be using HTTPS.

    Second thing
    @sierdzio said in QML Security:

    attacker could do practically anything with your computer once they have the ability to modify the QML files

    How can they do that if i disable XMLHttpRequest? When I get qml, I will check for XMLHttpRequest and if it's there I'll show an error.


  • Moderators

    @pohius said in QML Security:

    First thing I definitely will be using HTTPS.

    Second thing
    @sierdzio said in QML Security:

    attacker could do practically anything with your computer once they have the ability to modify the QML files

    How can they do that if i disable XMLHttpRequest? When I get qml, I will check for XMLHttpRequest and if it's there I'll show an error.

    They could add this into your QML file, for example:

    Component.onCompleted: {
      doSomeNastyStuff()
    }
    


  • @sierdzio said in QML Security:

    doSomeNastyStuff()

    What can they write there to get an access to the system files or run a shell command?


  • Moderators

    @pohius said in QML Security:

    @sierdzio said in QML Security:

    doSomeNastyStuff()

    What can they write there to get an access to the system files or run a shell command?

    function doSomeNastyStuff() {
      // Hang the app:
      var i = 0;
      while (true) { i++; }
    
      // Launch any app
      Qt.openUrlExternally("/path/to/background/bitcoin/miner.exe")
    }
    

    One could also embed an invisible web view in the QML code and open some harmful sites there, download malware etc. Or use some exploit for CPU speculative engine. Or use Settings object to save some file on your disk, then use that with openUrlExternally() to launch some unsafe apps.

    I've never been interested in exploiting vulnerabilities or even in learning about it, but I imagine there are hundreds other harmful things that and attacker could do with such power.



  • Sierdzio, that's exactly what I was looking for, thank you so much! Don't want to be rude, but can you please give me some more insecure methods, only the names, just what first comes to mind.

    And the second question: is it viable to block them all, or there are too many of them?
    And thank you once again, you are very helpful.


  • Moderators

    It's not rude, don't worry.

    Alas, nothing else comes readily to my mind. I think allowing any JavaScript, embedding web view and openUrlExternally() have the most potential for harm.



  • @sierdzio Thank you so much!


  • Moderators

    @pohius said in QML Security:

    And the second question: is it viable to block them all, or there are too many of them?

    New vulnerabilities are being discovered frequently. That's why web browser projects (like Google Chrome and Mozilla Firefox) have to keep updating themselves to fix security issues.


Log in to reply