security - Dave's Blog

Search

Windows.Web.UI.Interop.WebViewControl localhost access

Jul 25, 5:34

If you're developing with the new Windows.Web.UI.Interop.WebViewControl you may have noticed you cannot navigate to localhost HTTP servers. This is because the WebViewControl's WebView process is a UWP process. All UWP processes by default cannot use the loopback adapter as a security precaution. For development purposes you can allow localhost access using the checknetisolation command line tool on the WebViewControl's package just as you can for any other UWP app. The command should be the following:

checknetisolation loopbackexempt -a -n=Microsoft.Win32WebViewHost_cw5n1h2txyewy

As a warning checknetisolation is not good on errors. If you attempt to add a package but get its package family name wrong, checknetisolation just says OK:

C:\Users\davris>checknetisolation LoopbackExempt -a -n=Microsoft.BingWeather_4.21.2492.0_x86__8wekyb3d8bbwe
OK.
And if you then list the result of the add with the bad name you'll see the following:
[1] -----------------------------------------------------------------
Name: AppContainer NOT FOUND
SID: S-1-15-...

There's also a UI tool for modifying loopback exemption for packages available on GitHub and also one available with Fiddler.

As an additional note, I mentioned above you can try this for development. Do not do this in shipping products as this turns off the security protection for any consumer of the WebViewControl.

PermalinkCommentschecknetisolation loopback security uwp webview win32webview

Tweet from SwiftOnSecurity

2016 Oct 13, 11:02
Give flair to users with 2FA turned on. Make it a status symbol, then public shaming takes over. "U don't have 2FA what if you get hacked?"
PermalinkComments

Tweet from emily schechter

2016 Sep 8, 1:12
in Chrome 56, we'll mark HTTP pages with password or credit card form fields as "not secure". turn on HTTPS before! https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html 
PermalinkComments

WPAD Server Fiddler Extension Source

2016 Aug 5, 3:18

I've put my WPAD Fiddler extension source and the installer on GitHub.

Six years ago I made a WPAD DHCP server Fiddler extension (described previously and previously). The extension runs a WPAD DHCP server telling any clients that connect to connect to the running Fiddler instance. I've finally got around to putting the source on GitHub. I haven't touched it in five or so years so this is either for posterity or education or something.

PermalinkCommentsdhcp fiddler network security wpad

Windows Store App WebView Cross Origin XMLHttpRequest Behavior

2016 Jun 2, 6:45

TL;DR: Web content in a JavaScript Windows Store app or WebView in a Windows Store app that has full access to WinRT also gets to use XHR unrestricted by cross origin checks.

By default web content in a WebView control in a Windows Store App has the same sort of limitations as that web content in a web browser. However, if you give the URI of that web content full access to WinRT, then the web content also gains the ability to use XMLHttpRequest unrestricted by cross origin checks. This means no CORS checks and no OPTIONS requests. This only works if the web content's URI matches a Rule in the ApplicationContentUriRules of your app's manifest and that Rule declares WindowsRuntimeAccess="all". If it declares WinRT access as 'None' or 'AllowForWebOnly' then XHR acts as it normally does.

In terms of security, if you've already given a page access to all of WinRT which includes the HttpRequest class and other networking classes that don't perform cross origin checks, then allowing XHR to skip CORS doesn't make things worse.

PermalinkCommentsjavascript uwa uwp web webview windows winrt xhr

Retweet of Snowden

2016 Feb 23, 9:19
@SwiftOnSecurity @thegrugq What if you have a lot of NSA rootkit problems? Asking for a friend.
PermalinkComments

Retweet of SwiftOnSecurity

2016 Feb 16, 5:06
#MustRead Apple CEO Tim Cook's letter to customers on FBI's request for assistance hacking an iPhone 5c http://www.apple.com/customer-letter/ …
PermalinkComments

Retweet of SwiftOnSecurity

2016 Feb 10, 11:21
The speed of light suuuuuucks
PermalinkComments

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Retweet of iainthomson

2016 Jan 25, 10:04
What computer users see in security warning boxes #enigma2016 Very, very true. pic.twitter.com/8V4SlGwKAV
PermalinkComments

Retweet of SwiftOnSecurity

2016 Jan 2, 6:04
Adware uses Fiddler libraries to proxy HTTPS traffic and inject ads (cc @ericlaw) http://blog.malwarebytes.org/security-threat/2016/01/websearcher-pup-applies-proxy-lockdown/ …
PermalinkComments

Retweet of SwiftOnSecurity

2015 Dec 23, 7:28
Does the NSA actually hack anybody, or do they just make PowerPoint presentations
PermalinkComments

Retweet of SwiftOnSecurity

2015 Nov 15, 11:34
@snowden please stop teaching terrorists how to encrypt their communications with PlayStation 4
PermalinkComments

Retweet of FTC

2015 Nov 4, 6:03
Our #StartWithSecurity workshop starts now. Watch live: https://player.streamspot.com/simple/live.php?cn=f9a676ee&aspect=true&w=1280&h=720&noArchiveBtn=true&noLiveBtn=true … Agenda: https://www.ftc.gov/news-events/events-calendar/2015/11/start-security-austin …
PermalinkComments

Retweet of marypcbuk

2015 Nov 1, 10:45
@SwiftOnSecurity monthly subscription. not being run over as a service
PermalinkComments

Retweet of SwiftOnSecurity

2015 Nov 1, 10:18
"Should driverless cars kill their occupants to save pedestrians?" Humans will evolve to walk in packs for protection. Time is a circle.
PermalinkComments

Retweet of SwiftOnSecurity

2015 Oct 8, 2:17
LAUGHING MY ASS OFF http://arstechnica.com/tech-policy/2015/10/volkswagen-pulls-2016-diesel-lineup-from-us-market/ … pic.twitter.com/F0CYPjwxbs
PermalinkComments

Retweet of olemoudi

2015 Sep 18, 4:21
Shell-XSS: Never trust cat again http://openwall.com/lists/oss-security/2015/09/17/5 …
PermalinkComments

Retweet of SwiftOnSecurity

2015 Aug 16, 1:09
.@realnzall Don't worry, Tay has a physical hard drive wiper with verification pass and optional label printer 😁 pic.twitter.com/PgAqBKXgCH
PermalinkComments

Tweet from David_Risney

2015 Aug 11, 11:19
James Mickens funny and pessimistic talk "Not Even Close: The State of Computer Security" from NDC June 2015 https://vimeo.com/135347162 
PermalinkComments
Older Entries Creative Commons License Some rights reserved.