tags:

views:

36

answers:

2
+1  Q: 

firefox extension security issue

I'm writing a firefox addon that logs certain user activity and displays some statistics on a webpage.

When the page is opened, the page sends an event to the addon. The addon adds data to the page and sends an event back, and the page refreshes the statistics.

Now how do I ensure that the extension only puts the (sensitive) data on the right page and not some other malicious one?

Thanks V

A: 

SSL. Unless you're doing something weird, the only route of attack is man in the middle.

Longpoke  2010-03-14 16:53:53
A: 

The addon will have to authenticate with the server, probably with a username/password provided by the user. The server side needs to control what events, and from what user that it can accept from the client side. Also note that all authentication should be done over SSL to prevent session hijacking.

Rook  2010-03-14 20:10:19
I'm not seeing how SSL comes into the picture here...I have a webpage that doesnt do any communication with a server, all it does is display some data.The addon gets the data and injects it into the webpage ( in the form of a CDATA section )What I need is a way for the extension to identify that this is the legitimate page before injecting data into it....
rep_movsd  2010-03-15 05:00:25
@rep_movsd I have absolutely no idea what attack you are trying to defend against, you need to update your question or you will not get a valid answer.
Rook  2010-03-16 08:00:23
"What I need is a way for the extension to identify that this is the legitimate page" That's what SSL does.
Longpoke  2010-03-16 14:10:52
Lets say I have a page P and extension E. P loads once from the server and thereafter never talks to the server again (it's supposed to work offline).E logs data and occasionally adds updates into P. Right now my code just checks if the URL of P is the right one. I am not sure if this is a secure enough approach.
rep_movsd  2010-03-17 04:25:54
So then the only attacker would be on the local system, because P is offline. You can't defend against a local attacker, they could just decompile your extension and do whatever they want with it.
Rook  2010-03-17 23:46:14
I think that the attack is: a malicious site creates a rogue page that pretends to be the right page and tries to trick the extension into adding the data to it instead of the right one. It's a question of how can the extension authenticate the page. It's not a local attack.
fms  2010-05-20 13:59:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security