QML Security
-
wrote on 31 Oct 2019, 06:20 last edited by
Hey guys,
I have a pet project. I want to create a qml web browser. It works like this:- Browser makes a request (HTTP) to a remote web server to load qml file.
- Browser makes a request (HTTP) to a remote web server to load data.
- Browser displays the qml file and the data.
I've created a test project and it's working. So my question is how can I secure my browser?
I've come across this article and it saysDo not, for example, use import, Loader or XMLHttpRequest to load any untrusted code or content
So far I see the only one problem
XMLHttpRequestcan display local filesvar xhr = new XMLHttpRequest; xhr.open("GET", "mydir/myfile.txt"); xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { var response = xhr.responseText; // use file contents as required } }; xhr.send();I don't see other vulnerabilities. Will restricting
XMLHttpRequestbe enough?
As far as i know you can't run system commands without c++ backend.
What do you think?
Thanks. -
@pohius said in QML Security:
I don't see other vulnerabilities
- If you're using plain HTTP, others can read the data as it travels through the network. Use HTTPS instead!
- Someone can intercept your traffic and send modified QML data to you (man in the middle attack, or they could break into the remote server and replace the QML files)
Results of such attack could be huge. Since QML can contain JavaScript code, it means the attacker could do practically anything with your computer once they have the ability to modify the QML files which are received by your browser. They can read files, write files from your disk, for example. This is a very serious security risk.
So, for sure use HTTPS. Perhaps, as an additional measure, you could encrypt the data using OpenSSL on your server, then inside your app you could verify that data using public key. But, if somebody gains access to your server, they could break that, too. Well, I don't know, I'm not a security expert :-)
-
wrote on 31 Oct 2019, 07:20 last edited by pohius
First thing I definitely will be using
HTTPS.Second thing
@sierdzio said in QML Security:attacker could do practically anything with your computer once they have the ability to modify the QML files
How can they do that if i disable
XMLHttpRequest? When I get qml, I will check forXMLHttpRequestand if it's there I'll show an error. -
First thing I definitely will be using
HTTPS.Second thing
@sierdzio said in QML Security:attacker could do practically anything with your computer once they have the ability to modify the QML files
How can they do that if i disable
XMLHttpRequest? When I get qml, I will check forXMLHttpRequestand if it's there I'll show an error.@pohius said in QML Security:
First thing I definitely will be using
HTTPS.Second thing
@sierdzio said in QML Security:attacker could do practically anything with your computer once they have the ability to modify the QML files
How can they do that if i disable
XMLHttpRequest? When I get qml, I will check forXMLHttpRequestand if it's there I'll show an error.They could add this into your QML file, for example:
Component.onCompleted: { doSomeNastyStuff() } -
wrote on 31 Oct 2019, 09:19 last edited by
@sierdzio said in QML Security:
doSomeNastyStuff()
What can they write there to get an access to the system files or run a shell command?
-
@sierdzio said in QML Security:
doSomeNastyStuff()
What can they write there to get an access to the system files or run a shell command?
@pohius said in QML Security:
@sierdzio said in QML Security:
doSomeNastyStuff()
What can they write there to get an access to the system files or run a shell command?
function doSomeNastyStuff() { // Hang the app: var i = 0; while (true) { i++; } // Launch any app Qt.openUrlExternally("/path/to/background/bitcoin/miner.exe") }One could also embed an invisible web view in the QML code and open some harmful sites there, download malware etc. Or use some exploit for CPU speculative engine. Or use Settings object to save some file on your disk, then use that with
openUrlExternally()to launch some unsafe apps.I've never been interested in exploiting vulnerabilities or even in learning about it, but I imagine there are hundreds other harmful things that and attacker could do with such power.
-
wrote on 31 Oct 2019, 10:11 last edited by pohius
Sierdzio, that's exactly what I was looking for, thank you so much! Don't want to be rude, but can you please give me some more insecure methods, only the names, just what first comes to mind.
And the second question: is it viable to block them all, or there are too many of them?
And thank you once again, you are very helpful. -
It's not rude, don't worry.
Alas, nothing else comes readily to my mind. I think allowing any JavaScript, embedding web view and openUrlExternally() have the most potential for harm.
-
It's not rude, don't worry.
Alas, nothing else comes readily to my mind. I think allowing any JavaScript, embedding web view and openUrlExternally() have the most potential for harm.
-
Sierdzio, that's exactly what I was looking for, thank you so much! Don't want to be rude, but can you please give me some more insecure methods, only the names, just what first comes to mind.
And the second question: is it viable to block them all, or there are too many of them?
And thank you once again, you are very helpful.@pohius said in QML Security:
And the second question: is it viable to block them all, or there are too many of them?
New vulnerabilities are being discovered frequently. That's why web browser projects (like Google Chrome and Mozilla Firefox) have to keep updating themselves to fix security issues.
1/10