Security.html
5.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
<!doctype html>
<!--
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
-->
<html>
<head>
<title>weinre - Security</title>
<link rel="stylesheet" href="css/main.css" type="text/css">
<link rel="shortcut icon" href="images/weinre-icon-64x64.png" />
</head>
<body>
<div class="ribbon">clone weinre at
<a href="https://git-wip-us.apache.org/repos/asf?p=cordova-weinre.git">apache</a>
</div>
<!-- ======================================================================= -->
<h1 class="page-title">weinre - Security</h1>
<div class="toc">
<a href="Home.html">Home</a>
- <a href="UserInterface.html">User Interface</a>
- <a href="Installing.html">Installing</a>
- <a href="Running.html">Running</a>
- <a href="MultiUser.html">Multi-User</a>
- <a href="Security.html">Security</a>
- <a href="Building.html">Building</a>
- <a href="ChangeLog.html">ChangeLog</a>
- <a href="License.html">License</a>
<p>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
</div>
<!--
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
-->
<p>About security for <span class="weinre">weinre</span>: <b>there is none</b>.
<p>Obviously there should be some. The question is, what do we need to do?
<!-- ======================================================== -->
<h2>Background and potential exposures</h2>
<p>Currently <span class="weinre">weinre</span> uses plain old HTTP - not HTTPS - and provides
no level of authentication for requests.
<p>The primary security exposure with <span class="weinre">weinre</span> is via
the debug server.
<p>Currently, the server only reads files from the weinre-node distribution,
and from the <tt>~/.weinre/</tt> directory (for property files).
The only thing the server writes to is <tt>stdout</tt> and <tt>stderr</tt>.
<p>If you use the default <tt>--boundHost</tt> option value of
<tt>localhost</tt>, then any software on the machine running the debug
server can communicate with the debug server. This probably isn't a big
deal, since presumably you control the software running on that machine.
<p>If you use a non-default <tt>--boundHost</tt> option value,
then <b>any software on any machine that can access that specified
host can communicate with the debug server</b>. This is a much bigger
deal.
<p>The most obvious exposure with using <tt>--boundHost</tt> and
a specific hostname / ip address, is that any debug client or
debug target that can access that hostname / ip address can access
the server. For example, a rogue debug client could connect to
your debug target and fiddle about with it.
<p>Other exposures include leaving a debug target injection
script line (ie, <tt><script src="[...]/target/target-script.js"></tt>)
in your web page, and then that web page connects to a rogue debug
server running at that address.
<!-- ======================================================== -->
<h2>Future Implementation Ideas</h2>
<ul class="spaced">
<li>Let's chat
</ul>
<!--
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
-->
<div class="toc">
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<p>
<a href="Home.html">Home</a>
- <a href="UserInterface.html">User Interface</a>
- <a href="Installing.html">Installing</a>
- <a href="Running.html">Running</a>
- <a href="MultiUser.html">Multi-User</a>
- <a href="Security.html">Security</a>
- <a href="Building.html">Building</a>
- <a href="ChangeLog.html">ChangeLog</a>
- <a href="License.html">License</a>
<br><img src="images/weinre-icon-128x128.png">
</div>
</body>
</html>