views:

119

answers:

3

Hi All,

I am wanting to find out whether or not it is possible to inject JavaScript into the .NET WebBrowser control from outside the running application?

Thanks

STW


Clarification: I am wanting to know if someone can get hold of the internal process of the wrapped components and manually insert what they like into the "browser" portion of the application.

+3  A: 

It is no different for WebBrowser from Internet Explorer. Once an app can obtain the window handle for WB, it can use LresultFromObject() to get access to the Accessibility interface, the one used by screen readers. I've seen this used to get an IHmtlDocument2 interface pointer, providing access to the DOM. Of course, once an app gains enough privilege to do this, there will be many other ways to accomplish the same. Focus on securing IE first, WebBrowser will follow suit since it is simply IE without the frame window.

Hans Passant
A: 

Can you clarify what is the attack vector that you are worried about?

'Who' are you worried that can inject data into the .NET WebBrowser object: a) the user running the application? b) a piece of software running on the same box under the same user identity c) somebody sniffing the html traffic (between user and webserver) and (maybe) modifying it d) another website that is opened on a different tab?

You basically need to do a Threat Model exercise of your use case and share with us the results (here is some info on Threat Modeling: http://en.wikipedia.org/wiki/Threat_model)

Dinis Cruz
A: 

If when you ask on your clarification "... I am wanting to know if someone can get hold of the internal process of the wrapped components and manually insert what they like into the "browser" portion of the application...." you mean '...another process running on your computer as the same user (lets say for example a malicious copy of WinZip)...' then YES it will be possible.

In windows there is NO separation between processes that belong to the same user, so if you have an application XYZ that contains an WebBrowser control, then another app (the malicious WinZip app) will be able to hook into that process and manipulate the contents of what you see on that WebBrowser.

(note that Vista/Windows 7 have added UAC (User Access Control) which I believe doesn't prevent this from happening)

Dinis Cruz
did I get this right? Any process started with my user can manipulate any other process started with my user and therefor change or take data from it?
TheChange
yes that is correct (I think there are some caveats that require some workarounds if UAC is used (note that Microsoft has confirmed that UAC is not a security isolation technology))
Dinis Cruz