FireBug Lite Extension For Security
Eric Dorman
Pedro and I have been talking about this new extension I would like to
build for FireBug,but it is manly focused on finding bad code or
malious code in websites. It's sort of like the YSlow Extensio.This
extension would be used not only for web developers,but for users to
see code that could be used for dangerous purposes. I am sort of
thinking of doing a extension that could help people find out or track
potential Security Problems.
Thanks & God Bless,
Eric Dorman
Pedro Simonetti Garcia
Taking YSlow as an example, I suppose it would be good as a starting
point to define the "security rules" your extension will be looking for,
like "don't use window.eval()" etc.
To get started with Firebug Lite code, I suggest reading the
"d) Development mode" section under "Install" instructions:
http://getfirebug.com/releases/lite/beta/#Install
If you're not familiar with Firebug (Lite or not) extension development,
I suggest you read the awesome tutorial Honza wrote (you can skip
the XUL related content and start reading where it says "This is how the
JS script looks like):
http://www.softwareishard.com/blog/firebug-tutorial/extending-firebug-hello-world-part-i/
So, here's the basic structure of an extension:
-----------------------------------------------------------
FBL.ns(function() { with (FBL) {
function HelloWorldPanel() {}
HelloWorldPanel.prototype = extend(Firebug.Panel,
{
name: "HelloWorld",
title: "Hello World!",
initialize: function() {
Firebug.Panel.initialize.apply(this, arguments);
}
});
Firebug.registerPanel(HelloWorldPanel);
}});
-----------------------------------------------------------
Note that while I tried to use the exact same API for Firebug Lite,
currently some parts of the API are different. This means that not
every tutorial in Honza's site will work as it is.
You can also read about domplate (Firebug's template engine):
http://www.softwareishard.com/blog/firebug-tutorial/extending-firebug-domplate-part-v/
We currently don't have a good documentation for Firebug Lite
development (I'll try to address this soon), so feel free to ask
me if you have any doubts about the code.
regards,
Pedro Simonetti.
2010/2/23 Eric Dorman <dorm...@gmail.com>:
> --
> You received this message because you are subscribed to the Google Groups "Firebug" group.
> To post to this group, send email to fir...@googlegroups.com.
> To unsubscribe from this group, send email to firebug+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
>
>
John J Barton
On Feb 23, 10:26 pm, Pedro Simonetti Garcia <pedrosimone...@gmail.com>
wrote:
> Hi Eric,
>
> Taking YSlow as an example, I suppose it would be good as a starting
> point to define the "security rules" your extension will be looking for,
> like "don't use window.eval()" etc.
And this could be very difficult since someone like myself will object
that there is nothing about window.eval() that is the least bit
insecure!
window.eval() is exactly as secure as "<script>" tags or
"document.write()" or "new Function()". These all compile and run
Javascript code. Since the code that calls window.eval() is also
Javascript, window.eval() is not intrinsically insecure.
Web pages ('content documents" in Mozilla-speak) are secured by the
browser. Browsers are easily the most secure computing environment on
the Internet simply because so many developers work on it and so many
people test it. If an analysis tool can find any operations in a web
page that are insecure, then the browser is broken and will need to be
fixed.
Extensions are part of the browser so they can make operations that
break the browser security. One indirect way to break the browser
security is for otherwise secure code to issue window.eval() and pass
a string obtained over an insecure Internet connection. Since AJAX is
very easy to code, simple extensions can easily make this mistake.
But the lack of security comes from the insecure Internet connection,
not from eval().
jjb
Eric Dorman
Is their a way to take or use a Firebug Lite Extension to help protect
users from Security issues in the browser? I don't if I am making
myself clear on this,but I am just wondering if their could be some
way to design an extension to help protect users from Security Hacks
or attacks in the browser.
I know this probably sounds like a anti virus type issue I am trying
to solve,but it's more than that I am just wondering if their a is a
way to help protect people from malious code in the browser.
Thanks for the great information you gave me.
Thanks & God Bless,
Eric Dorman
On Feb 24, 11:53 am, John J Barton <johnjbar...@johnjbarton.com>
wrote:
John J Barton
On Feb 24, 10:40 am, Eric Dorman <dorman...@gmail.com> wrote:
> Hey guys, Thanks for that great info on that stuff.
>
> Is their a way to take or use a Firebug Lite Extension to help protect
> users from Security issues in the browser? I don't if I am making
> myself clear on this,but I am just wondering if their could be some
> way to design an extension to help protect users from Security Hacks
> or attacks in the browser.
I believe the answer is "no" because the browser already protects
users from attack.
jjb
Eric Dorman
Yeah I know,but I just their could be more ways to help protect users
and something like Firebug Lite designed specificlly for Security
could double the protection or at least help it. I am trying to find
some middle ground in building something like Firebug Lite Extension
that would not only be for developers to locate bugs,but also be bug
finder for everyday users who visit sites.
Just my opinion. :)
Pedro Simonetti Garcia
2010/2/24 John J Barton <johnj...@johnjbarton.com>:
>
>
> On Feb 24, 10:40 am, Eric Dorman <dorman...@gmail.com> wrote:
>> Hey guys, Thanks for that great info on that stuff.
>>
>> Is their a way to take or use a Firebug Lite Extension to help protect
>> users from Security issues in the browser? I don't if I am making
>> myself clear on this,but I am just wondering if their could be some
>> way to design an extension to help protect users from Security Hacks
>> or attacks in the browser.
>
> I believe the answer is "no" because the browser already protects
> users from attack.
JJB made some really good observations.
I thought that you were talking about an extension that helps
*developers* build more secure web applications, and not
exactly an "extension to help protect users".
Let's say you visit a malicious website and it infects your
computer with some malware. There's no way to Firebug
Lite prevent this from happening, once the infection is a
result of a weakness in the browser.
I'm not a security expert, so I may be not the right person
to talk about this subject, but I do believe there are some
rules / guidelines that *developers* could follow to make
their web application more safe.
I mentioned "window.eval()" because it was the first thing
that came in my mind, but I do agree with what JJB said,
that "window.eval()" itself isn't unsafe, but it could cause
a security problem if you evaluate an external script from
a non trusted party, or from a non secure protocol.
One better example I could give is the use of HTTP protocol.
HTTP is not a safe protocol, and it could allow the
"Man-in-the-middle attack". So a better way to protect
your web application is to use only safe protocols (like
HTTPS) for all resources loaded in your app (scripts,
stylesheets, images, etc).
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
So, an extension could alert the developer with a message
"you are using an unsafe protocol, use HTTPS instead".
But even so, detecting some other security problems can
be very hard. For example, how could the extension know
that you're using an "window.eval()" to evaluate an external
script? There's no way to know without analyzing the source
code, and implement an automatic analysis for that would
be very hard.
regards,
Pedro Simonetti.
Eric Dorman
Thanks for that great info.
If their is possibly a way to access the browser from a web app how
would you do that or is it even possible?
I think you all know what I am trying to build here,but is their a way
to access or use pieces of the browser without breaking it?
I know you guys would probably say just make an add on if you want to
interact with the browser,but I am wondering if their is anyway you
could interact with the browser or access certain tools of the browser
with a web app?
Oh and I hope Firebug 1.5.2 is stable.
Thanks & God Bless,
Eric Dorman
On Feb 24, 8:34 pm, Pedro Simonetti Garcia <pedrosimone...@gmail.com>
wrote:
> Hi there,
>
> 2010/2/24 John J Barton <johnjbar...@johnjbarton.com>: