Security/Plug-n-hack: Difference between revisions
< Security
Jump to navigation
Jump to search
(Added content on pnh plans) |
No edit summary |
||
| Line 9: | Line 9: | ||
* Phase 1 (q2/3 2013): | * Phase 1 (q2/3 2013): | ||
** Allow a browser to be configured to use a security tool with minimal effort | ** Allow a browser to be configured to use a security tool with minimal effort | ||
*** Proxy configuration | |||
*** Proxy certificate import for SSL termination | |||
** Allow tool configurations to be managed | ** Allow tool configurations to be managed | ||
** Allow tool functionality to be exposed via browser UI | ** Allow tool functionality to be exposed via browser UI | ||
| Line 14: | Line 16: | ||
* Phase 2 (q3/q4 2013): | * Phase 2 (q3/q4 2013): | ||
** Provide some access to the DOM from external security tools via a probe (e.g. injected via bookmarklet or by a security proxy) | ** Provide some access to the DOM from external security tools via a probe (e.g. injected via bookmarklet or by a security proxy) | ||
*** Document load / reload in place | |||
*** PostMessage interception / replay | *** PostMessage interception / replay | ||
**** window.postMessage proxying via javascript for on-origin iframes | |||
**** DOM manipulation for iFrame replacement with postMessage proxying for off-origin iframes | |||
*** Event inspection | *** Event inspection | ||
* Phase 3 (q4 2013): | * Phase 3 (q4 2013): | ||
** Define configurations and interfaces for browser | ** Define configurations and interfaces for in-browser versions of the existing probe functionality | ||
** | ** Experiment with event manipulation and replay | ||
** Experiment with ringleader impl of interface and configuration | |||
* Phase 4 (q1 2014) | |||
** Fuzzing via event record and replay | |||
** Remote probe configuration | |||
*** Enable / disable monitoring / interception | |||
'''Tool support''' | '''Tool support''' | ||
Latest revision as of 16:42, 7 January 2014
Plug-n-hack is an effort to make your browser play nicely with the security tools you use.
Current Documentation can be found here
Plans
Plug-n-hack is an ongoing effort.
- Phase 1 (q2/3 2013):
- Allow a browser to be configured to use a security tool with minimal effort
- Proxy configuration
- Proxy certificate import for SSL termination
- Allow tool configurations to be managed
- Allow tool functionality to be exposed via browser UI
- Allow a browser to be configured to use a security tool with minimal effort
- Phase 2 (q3/q4 2013):
- Provide some access to the DOM from external security tools via a probe (e.g. injected via bookmarklet or by a security proxy)
- Document load / reload in place
- PostMessage interception / replay
- window.postMessage proxying via javascript for on-origin iframes
- DOM manipulation for iFrame replacement with postMessage proxying for off-origin iframes
- Event inspection
- Provide some access to the DOM from external security tools via a probe (e.g. injected via bookmarklet or by a security proxy)
- Phase 3 (q4 2013):
- Define configurations and interfaces for in-browser versions of the existing probe functionality
- Experiment with event manipulation and replay
- Experiment with ringleader impl of interface and configuration
- Phase 4 (q1 2014)
- Fuzzing via event record and replay
- Remote probe configuration
- Enable / disable monitoring / interception
Tool support
Browser support for PnH is provided by the Ringleader Firefox extension which can be found here.
A (fairly rudimentary) implementation of the DOM probe for external applications exists here
A number of tools make use of Plug-n-hack, notably: