Security/Reviews/NetworkMonitor

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Network Monitor
Target
   
     Full Query    
ID Summary Priority Status
749411 [meta] NetMonitor should be prefed on by default P1 RESOLVED
753703 SecReview: Network Monitor -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

Source: https://github.com/firebug/httpmonitor
The given value "
   
     Full Query    
ID Summary Priority Status
749411 [meta] NetMonitor should be prefed on by default P1 RESOLVED
753703 SecReview: Network Monitor -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

Source: https://github.com/firebug/httpmonitor" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

The Firebug net panel provides a useful way of looking at the HTTP Activity of a tab; work is underway to extract the net panel logic from firebug and expose it within firefox (currently as an extension, eventually in-browser) in 2 ways: 1) a firebug-free version of the netpanel UI 2) as an HTTP tracking component that can be used by the above and any other tools that want to intercept and analyse HTTP traffic.

  • NetMonitor makes use of the debugger protocol built for JSD2 - currently (in the extension) it creates its own listener which communicates via this protocol; eventually, the plan is to share listeners when both remote debugging and remote monitoring are enabled. Note: This review is not intended to cover the debugger protocol itself; hopefully we can cover that on the 24th in the debugger review session - obviously, any net monitor specific implications are in-scope.
  • remote features will be prefed on / off en-mass (shouldn't be a surprise for users when e.g. monitor is started but debugging is possible). e.g "you are allowing another machine to take control of your browser"
* Currently doesn't support anything other than HTTP.
* Uses existing necko APIs - if the monitor should intercept other types, we'd need hooks to be available for other events, etc.
    • so far, websockets is most likely to happen soon.

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

`

Any security threats already considered in the design and why?

`

Threat Brainstorming

  • Are the File objects persisted on disk? Also are these files different per-tab / private-browsing mode?
    • no
    • When are the files deleted if persisted?
      • N/a - see above
  • Is this enabled all the time or per user request?
** by default it's per tab (clear cache when changed)
** there's a persist button to enable "persist mode" which allows previous requests to be kept in the console (for analysing redirects or page flow).
  • When the response body is displayed to the user, sometimes it's useful for it to be formatted somehow. (e.g. JSON / XML you might want an expandable tree)
    • in these cases - it's important to mention that if we're parsing that content, that could have security implications.
    • There are a potential number of flaws to worry about in the UI part of the output (output filtering, etc. is important).
  • Response body is displayed as text in the UI. And also limited by size - to avoid crashes. There is a limit on the display and a separate limit on the cache.
  • Everything displayed to the user is in an iFrame (origin: chrome) - recommended as a defense in depth thing to remove privileges where possible. The whole UI is injected into the iFrame... looks like it might need scripting (maybe use the sandbox feature when we've got that done).
    • find the docshell that's associated with the iframe, "fiddle with that" to control this.
    • Is there a reason this would be a better solution to CSP? Because CSP needs an origin. - the docshell features don't care where things are loaded from as they're features of the container and not the document. If you know it can't navigate then you could inject a CSP on that (otherwise an attack could inject a link in there, navigation could result in CSP becoming non-effectual).
  • What if the image requests are not idempotent? Or if the resource is switched post-original request.
    • What about URLs changing to a JS url
    • What about images being lots larger than they were originally?
  • Property "SecReview feature goal" (as page type) with input value "The Firebug net panel provides a useful way of looking at the HTTP Activity of a tab; work is underway to extract the net panel logic from firebug and expose it within firefox (currently as an extension, eventually in-browser) in 2 ways:

    1) a firebug-free version of the netpanel UI 2) as an HTTP tracking component that can be used by the above and any other tools that want to intercept and analyse HTTP traffic.

    • NetMonitor makes use of the debugger protocol built for JSD2 - currently (in the extension) it creates its own listener which communicates via this protocol; eventually, the plan is to share listeners when both remote debugging and remote monitoring are enabled. Note: This review is not intended to cover the debugger protocol itself; hopefully we can cover that on the 24th in the debugger review session - obviously, any net monitor specific implications are in-scope.
    • remote features will be prefed on / off en-mass (shouldn't be a surprise for users when e.g. monitor is started but debugging is possible). e.g "you are allowing another machine to take control of your browser"
    * Currently doesn't support anything other than HTTP.
    * Uses existing necko APIs - if the monitor should intercept other types, we'd need hooks to be available for other events, etc.
    
      • so far, websockets is most likely to happen soon." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview threat brainstorming" (as page type) with input value "* Are the File objects persisted on disk? Also are these files different per-tab / private-browsing mode?
      • no
      • When are the files deleted if persisted?
        • N/a - see above
    • Is this enabled all the time or per user request?
    ** by default it's per tab (clear cache when changed)
    ** there's a persist button to enable "persist mode" which allows previous requests to be kept in the console (for analysing redirects or page flow).
    
    • When the response body is displayed to the user, sometimes it's useful for it to be formatted somehow. (e.g. JSON / XML you might want an expandable tree)
      • in these cases - it's important to mention that if we're parsing that content, that could have security implications.
      • There are a potential number of flaws to worry about in the UI part of the output (output filtering, etc. is important).
    • Response body is displayed as text in the UI. And also limited by size - to avoid crashes. There is a limit on the display and a separate limit on the cache.
    • Everything displayed to the user is in an iFrame (origin: chrome) - recommended as a defense in depth thing to remove privileges where possible. The whole UI is injected into the iFrame... looks like it might need scripting (maybe use the sandbox feature when we've got that done).
      • find the docshell that's associated with the iframe, "fiddle with that" to control this.
      • Is there a reason this would be a better solution to CSP? Because CSP needs an origin. - the docshell features don't care where things are loaded from as they're features of the container and not the document. If you know it can't navigate then you could inject a CSP on that (otherwise an attack could inject a link in there, navigation could result in CSP becoming non-effectual).
    • What if the image requests are not idempotent? Or if the resource is switched post-original request.
      • What about URLs changing to a JS url
      • What about images being lots larger than they were originally?" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
Who bug Action By When Completed date

[NEW] new [DONE] Done [MISSED] Miss

Joe / Honza 757432 <Look at restricting privileges of the iframe. CSP possible if navigation is not allowed, otherwise look at docshell tricks / iframe sandbox before Aurora [NEW] new
Joe / Honza 757434 put in a check that URL is http / https before Aurora [NEW] new
Full Query
ID Summary Priority Status
757432 SecReview: Network Monitor - iframe privileges -- RESOLVED
757434 SecReview: Network Monitor - http check -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

The given value "

Who bug Action By When Completed date [NEW] new [DONE] Done [MISSED] Miss


Joe / Honza 757432

" contains strip markers and therefore it cannot be parsed sufficiently.