![]() This means that a security vulnerability in the app can be exploited to steal or corrupt any data the user can access, install malware, etc. The application that handles the protocol typically runs outside of the browser’s sandbox. stdin) might help reduce the possibility of parsing errors. Moving the App Protocol URL data from the command line to somewhere else (e.g. You can see how your browser behaves using the links on this test page.įuture Opportunity: A richer API contract that allows an App Protocol handler to determine how specifically it was invoked would allow it to better protect itself from unexpected callers. This attack led to remote code execution bugs in App Protocol handlers many times over the years.Ĭhrome began %-escaping spaces and quotation marks 8 back in Chrome 64, and Edge 18 followed suit in Windows 10 RS5.Ĭhromium limits URLs to 2048 characters, but still shows the confirmation prompt for longer URLs. The app’s code saw the –DoSomethingDangerous “argument”, failed to recognize it as a part of the URL, and invoked dangerous functionality. Browsers, including Chrome, Edge, and IE, were willing to include bare spaces and quotation marks in the URL argument, meaning that an app could launch with a command line like: alert.exe " alert:This is an Evil URL" -DoSomethingDangerous -Ignore=This" Until recently, there was an even bigger problem here, related to the encoding of the URL. “ What browser or app invoked this?“, “ What origin invoked this?“, etc) and thus it must make any decisions solely on the basis of the received URL. The app doesn’t get any information about the caller (e.g. When the protocol is invoked by the browser, it simply bundles up the URL and passes it on the command line to the target application. You can quickly find the handlers from the command prompt: reg query HKCR /f "URL Protocol" /s alert) and a shell command in the registry, e.g. In most cases 3, App Protocols are implemented as a simple mapping between the protocol scheme (e.g. We’ve seen apps that reboot the computer without prompt. We’ve seen apps that assumed they’d never get more than 255 characters in their URLs and had buffer-overflows leading to Remote Code Execution when that limit was exceeded. We’ve seen apps where the app will immediately create or delete files without first confirming the irreversible operation with the user. sending your outbound mail to a different server) based on parameters in the URL it receives. We’ve seen apps where the app will silently reconfigure itself (e.g. a “Meet Now” page on a videoconferencing vendor’s website should launch the videoconferencing client) and they were not designed with the expectation that the app could be exposed to potentially dangerous data from the web at large. ![]() ![]() The primary security problem is that most App Protocols were designed to address a particular scenario (e.g. What’s the Security Risk?Ī number of issues make App Protocols especially risky from a security point-of-view. They are the easiest route out of browser sandboxes and are thus terrifying, especially because this exploit vector is stable and available in every browser from legacy IE to the very latest versions of Chrome/Firefox/Edge/Safari. The power and simplicity of App Protocols comes at a cost. ![]() App Protocols can be invoked from almost every browser, and many other surfaces (e.g. Notably, App Protocols are fire-and-forget , meaning that the handler has no direct way to return data back to the browser that invoked the protocol. When the user invokes this url, the handler waits two seconds, then launches its UI to collect a screenshot. For instance, ms-screenclip is a simple app protocol built into Windows 10 that kicks off the process of taking a screenshot: ms-screenclip:?delayInSeconds=2 ( RFC7595 Guidelines).Īpp Protocols 2 are both simple and powerful, allowing client app developers to easily enable the invocation of their apps from a website. Just over eight years ago, I wrote my last blog post about App Protocols, a class of URL schemes that typically 1 open another program on your computer instead of returning data to the web browser. A valid scheme name is an ASCII letter followed by one or more ASCII Letters, Digits, Hyphens, Dots, or Plus characters. Note: This post is part of a series about Web-to-App Communication techniques.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |