[SOLVED] Do browsers have full access to our file system?

ThoughtBubble · 2024-10-18 22:43:33

Can a website read, write, and execute (if file is valid) any file on the user's file system without the user ever knowing about it? Is there a way I can limit the directories my browsers (Chrome & Firefox) would have access to?

Last edited by ThoughtBubble (2024-10-19 18:16:05)

ewaller · 2024-10-18 22:47:55

In general, It has the same privilege as the user running it. The browser itself may impose further restrictions on what the browsed content can do.

Beyond that, there are various ways to sandbox a browser: https://wiki.archlinux.org/title/Category:Sandboxing

cryptearth · 2024-10-18 23:15:59

well - a browser usually doesn't have methods for open or execute local files - and neither the html nor acme standards offer any ways a web page could do such things
when going back in time to internet explorer and activeX that's a different story - but M$ designed it this way to further utilize the already deeply interwoven active stuff of IE into windows in the win98 times and further extended it to office
the regular file form field is a bit tricky: its part of a regular html form and is designed to take one or more files which are send to the server when the form is submitted - but this is a one-way function and pretty much the reverse to downloading a file from a server

btw - is there anything you're concerned about? browsers exist since about the late 80s - people have a couple of decades of experience how to design them - and the standards for the langauges websites are written in

ThoughtBubble · 2024-10-18 23:43:27

cryptearth wrote:

well - a browser usually doesn't have methods for open or execute local files - and neither the html nor acme standards offer any ways a web page could do such things
when going back in time to internet explorer and activeX that's a different story - but M$ designed it this way to further utilize the already deeply interwoven active stuff of IE into windows in the win98 times and further extended it to office
the regular file form field is a bit tricky: its part of a regular html form and is designed to take one or more files which are send to the server when the form is submitted - but this is a one-way function and pretty much the reverse to downloading a file from a server
btw - is there anything you're concerned about? browsers exist since about the late 80s - people have a couple of decades of experience how to design them - and the standards for the langauges websites are written in

Let's say I have a URL that I am not sure whether it is safe or not. But I would like to validate whether it is safe. The URL is supposed to download a file. How can I validate it in a safe manner?

ewaller · 2024-10-18 23:45:27

cryptearth wrote:

well - a browser usually doesn't have methods for open or execute local files -

Well, browsing to file://boot/vmlinuz-linux just downloaded my kernel to my downloads directory.

Trilby · 2024-10-19 00:09:05

The browser can certainly open local content, but (in a properly functioning browser) no content from a remote server could open / read local content directly. Some local content can be read indirectly through specific browser mechanisms such as cookies, browser "local storage", and the like.

Of course, as browsers do more and more, many of the added "features" are really nothing more than a relaxing of security to allow remote content to do more and more (cookies and local storage didn't always exist).

S3riousOne · 2024-10-19 00:51:15

If its flatpak app you can control its access with flatseal, not sure if the app will work correctly after thou.

mesaprotector · 2024-10-19 07:50:12

You can also use an apparmor profile (which are easy enough to set up) to block an application from doing something "unexpected". SELinux, another program for access control, is probably more powerful than apparmor but hard to use, especially outside of the RHEL family where it comes from.

cryptearth · 2024-10-19 08:06:43

@ewaller
as you brought it up here a disection of how a browser feeds data into its render engine:
after parsing the url first the protocol is checked to determine the handler to be used for further processing the given url
in case of file:// the handler generates a pseudo stub header which causes the render engine to open the file dialog to sace a download

ny point was:
as http is a stateless protocol and the connection is terminated between each site request there's no constantvactive open connection to the server
also: although several languages can come into play to write a modern website it comes down mostly to html and javascript - neither of these languages have any kind of open() or exec() methods which would allow them to read arbitrary local files or instruct the browser to execute them

@OP
I still don't get the threat vector here
the servers response is either nonesense - by which any browser should just reject it due to a malformed header - it responds with a valid header that causes the browser try to display it as normal page - or it responds with a valid header that causes the browser to open a file choser to download a file

you can however use tools like curl or wget and only get the header and the first few bytes to check wether what's suppoosed to be a regular webpage really starts with valid html instead of some binary - but I smell an xy problem here and a badly phrased question

do you want to know wheter the file you're supposed to download is save? that you can only check after you got the file
otherwise your question doesn't make much sense

Succulent of your garden · 2024-10-19 15:45:32

Some options that you can use ThoughtBubble:

1) If the hyperlink ref is a webpage and not the downloading of the file, you can use curl to get the html, the css and js content and see if there is something wrong. Assuming you know how to read javascript of course.

2) You can go with a browser wich denies every javascript if you think that the only most bad thing could happend is from a ts/js made script. Also maybe you could deny downloads of any image. Most browsers could be configured to do that, but maybe I don't recommend this if you have some worries about the webpage. Maaaaybe you can use lynx since doesn't run js if i'm not remembering wrong, but in that case maybe is better to just curl the webpage.

3) You can create a pihole dns-router with docker, and then attach a vm with full hardware virtualization to that container as dns. Go to github and check a very or many good pihole lists to block any ip or malicious knowed websites, do the second item to your browser before enter to the webpage or just curl it if you think is better. If you download a binary, go to virus total and summit the binary, and see the results. If you are going to do this, then a good idea is to had created the vm in a hhd drive to use the shred command to delete the file and the vm, since ssd needs to trip to be sure of data elimination. If you are really worry try to setup the vm with openbsd.

4) If i'm not wrong you can send a webpage link to virustotal to check if could be something wrong, but i'm not sure. Anything you send to virustotal is visible to anyone btw by default and free usage.

So the general idea is to avoid execution of javascript code and binary in your machine in the process, while denying traffic with the pihole container. The openbsd machine since doesn't use the coreutils and kenel from linux, maybe could bring you some safe setup to check and send the file to virus total i guess instead of a linux machine, and because is openbsd.

Hope this helps.

Last edited by Succulent of your garden (2024-10-19 15:48:03)

ThoughtBubble · 2024-10-19 15:46:00

cryptearth wrote:

@OP
I still don't get the threat vector here
the servers response is either nonesense - by which any browser should just reject it due to a malformed header - it responds with a valid header that causes the browser try to display it as normal page - or it responds with a valid header that causes the browser to open a file choser to download a file
you can however use tools like curl or wget and only get the header and the first few bytes to check wether what's suppoosed to be a regular webpage really starts with valid html instead of some binary - but I smell an xy problem here and a badly phrased question
do you want to know wheter the file you're supposed to download is save? that you can only check after you got the file
otherwise your question doesn't make much sense

Sorry, my thoughts were not put together properly. Let me start from ground zero. What could happen if I entered a bad URL in the address bar?

Trilby · 2024-10-19 15:54:55

ThoughtBubble wrote:

What could happen if I entered a bad URL in the address bar?

You'd view the wrong page / resource. What are you worried might happen? Putting in the wrong address couldn't grant any remote system access to your fileystem.

Last edited by Trilby (2024-10-19 16:03:00)

Succulent of your garden · 2024-10-19 16:06:33

ThoughtBubble wrote:

Sorry, my thoughts were not put together properly. Let me start from ground zero. What could happen if I entered a bad URL in the address bar?

Web page are done in html+css+ts/js . Maybe in some cases css could be use to hack someone in a very strange way, you should be worried mostly by the javascript files, where most of the bad things that could happend to you could happend. After that you can expect anything, from a cryptominer to a remote code execution which maybe could get a root level acess. Since you don't trust the webpage some rendering of image could also be use. But in many case the bad things could happend with the js.

but there are some ways as some pepole are suggesting to download the content, you can just use curl to fetch the content of the webpage and inspect what it is. Since you are worried about what could have, I suggest to use the vm with openbsd as I said in the last post with the pihole configuration, only if you really need to download the file by some reason. Then you can send it to virus total to check if it is potentially malicious or not ( Not 100% of sucess btw). If you do this with all the content in a hard drive you can delete it with "shred -zu" which is going to delete the file and the inodes, in ssd is more complex to delete 100% a file. In this context you should be able to check all the traffic of the vm, and also you can deny all the incoming requests, unless you are going to download a pretty bad one file, since virtualization and containers could be exited by programs in some cases.

So if you are new to all of this, maybe I suggest to not download the file, or learn to do it, because you need to know how to setup containers without root user and among other things.

Nevertheless wait until other people came and post in this thread, so you can be pretty sure that you are going to do the things well.

EDIT: Btw, there is a webpage that's named whois.com to make domain lookups. There you can see the registration of the webpage and it's information, if there is few information in the query be suspect, but if there is a name of a person and contact number among other things, then there is a possibility that your webpage is not so bad, or not bad at all. Or just a very retarded hacker person XD. But it's additional information that you can have, and can help you to make your choices i guess.

Last edited by Succulent of your garden (2024-10-19 16:21:31)

cryptearth · 2024-10-19 16:17:41

ThoughtBubble wrote:

What could happen if I entered a bad URL in the address bar?

in the best case: nothin - because it's invalid
in the worst case: nothin - because every time you browse to any url you send a request to some remote endpoint and retrieve ("download") whatever that endpoint replies with - and hence it depends what you DO with whatever you get from the remote endpoint

if, for some reason, you use code that does have some capabilties to grant some garbage you got from some remote endpoint access to local files or even to execute binaries - well, then this is a mix of both: the "browser" you used and the facts that it a) implements such "features" and b) does allow it
which gets me back to what I already replied: unless you get some shady inflitrated modified version of some popular browser which does have such a backdoor which works in combination with special code comming from a specific endpoint - but the regular versions of chrome, firefox, safari - then you're pretty safe because thier devs know how to properly implement given standards, mostly HTML, CSS and JavaScript along a few other neat features like WebSockes - and these languages just don't have any function in them like "open local file X" or "execute binary Y"
does this make them safe? of course not - and when you search about how modern game consoles get hacked: it's often the browser which is the attack vector - because they have some kind of bug which the community not just knows about but also knows how to exploit it to break the system to allow running homebrew code

so - effectively - yes, when someone knows how to exploit a vulnerability in the browser you use and is able to trick you to browse to a malicious url - sure it could end up in a reverse shell with root privileges - but for your daily browsing that risk can be neglected

ThoughtBubble · 2024-10-19 18:15:48

cryptearth wrote:

ThoughtBubble wrote:
What could happen if I entered a bad URL in the address bar?
in the best case: nothin - because it's invalid
in the worst case: nothin - because every time you browse to any url you send a request to some remote endpoint and retrieve ("download") whatever that endpoint replies with - and hence it depends what you DO with whatever you get from the remote endpoint

This answers my question. Thank you.

Arch Linux

#1 2024-10-18 22:43:33

[SOLVED] Do browsers have full access to our file system?

#2 2024-10-18 22:47:55

Re: [SOLVED] Do browsers have full access to our file system?

#3 2024-10-18 23:15:59

Re: [SOLVED] Do browsers have full access to our file system?

#4 2024-10-18 23:43:27

Re: [SOLVED] Do browsers have full access to our file system?

#5 2024-10-18 23:45:27

Re: [SOLVED] Do browsers have full access to our file system?

#6 2024-10-19 00:09:05

Re: [SOLVED] Do browsers have full access to our file system?

#7 2024-10-19 00:51:15

Re: [SOLVED] Do browsers have full access to our file system?

#8 2024-10-19 07:50:12

Re: [SOLVED] Do browsers have full access to our file system?

#9 2024-10-19 08:06:43

Re: [SOLVED] Do browsers have full access to our file system?

#10 2024-10-19 15:45:32

Re: [SOLVED] Do browsers have full access to our file system?

#11 2024-10-19 15:46:00

Re: [SOLVED] Do browsers have full access to our file system?

#12 2024-10-19 15:54:55

Re: [SOLVED] Do browsers have full access to our file system?

#13 2024-10-19 16:06:33

Re: [SOLVED] Do browsers have full access to our file system?

#14 2024-10-19 16:17:41

Re: [SOLVED] Do browsers have full access to our file system?

#15 2024-10-19 18:15:48

Re: [SOLVED] Do browsers have full access to our file system?

Board footer