DOM Visibility (Security-related)

Do not post support requests, bug reports or feature requests. Discuss CEF here. Non-CEF related discussion goes in General Discussion!

DOM Visibility (Security-related)

Postby fuzzball » Wed Feb 28, 2018 5:14 pm

I'm very new to CEF and I have a question as it relates to the security of the data/DOM of my CEF application.

Obviously when I create a web-app, any user can activate the developer tools of their browser and see much of the makeup of a web app. With CEF I see the sample app has a specific feature to enable remote debugging, but I'm wondering if that is specific to that app, or is that baked into CEF? Could someone find a way to connect to my app and get access to the internals, like the DOM structure. Also, is there any other way that the DOM could be exposed? I can see that if I distribute my JS externally then a user could hack/modify, but if everything is embedded, then I imagine it eliminates that potential threat. I also thought about HTTPS traffic getting captured (like Fiddler) but assume that as long as I encrypt any data that is sent out/received then I'm covered there. Just wondering how exposed my app would be, and what additional security issues I would have to deal with.

If there is a simple Wiki link that I haven't found yet that answers this that would be great as well. Thanks for reading!
fuzzball
Newbie
 
Posts: 2
Joined: Wed Feb 28, 2018 5:05 pm

Re: DOM Visibility (Security-related)

Postby magreenblatt » Wed Feb 28, 2018 11:03 pm

I suggest you approach the question from a different perspective. What's the worst that can happen if someone gains access to your application logic? What can you do to mitigate those risk factors (e.g from a backend/service perspective)?

Any software installed on another person's machine is subject to decompilation, modification or hijack. Assume that it will happen if the party is motivated enough and protect against potential consequences.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: DOM Visibility (Security-related)

Postby fuzzball » Thu Mar 01, 2018 9:33 am

Certainly good advice, and I do make assumptions like that. However due to how new I am to CEF (and the wrappers like Electron, CefSharp, etc), I want to make sure there isn't some known open/backdoor that I should be aware of. Aside from things like decompilation, et. al, is CEF, when used in one of the desktop application wrappers, expose its DOM through some mechanism? If it doesn't, then that's great, I just continue with my normal paranoia/lockdown. If it does expose something, then I want to be sure I understand it and address it appropriately.

Thanks for the feedback!
fuzzball
Newbie
 
Posts: 2
Joined: Wed Feb 28, 2018 5:05 pm

Re: DOM Visibility (Security-related)

Postby magreenblatt » Thu Mar 01, 2018 10:05 am

With CEF-based projects you can disable configuration via command-line flags by setting CefSettings.command_line_args_disabled. That will remove the ability to easily enable remote debugging, change proxy settings, etc. You can also encrypt and/or obfuscate any HTML/JS code built into your application it make it harder to extract from the binary contents, or protect your whole application using a third-party tool like Themida. However, someone could still create a custom build of CEF to intercept/modify resource requests. You should code sign all binaries that you distribute to further reduce the chances of that happening.

Electron is not based on CEF so you will need to research that project separately.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm


Return to CEF Discussion

Who is online

Users browsing this forum: No registered users and 24 guests