Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I integrate Perfidies (Browser plug-in vulnerability scanner) into my website?

Tags:

javascript

browser

security

plugins

asp.net-mvc

Perfidies / Plugindir is the client to Mozilla's plugin vulnerability database. I think a variant of this is used here on this site geared for end users.

I would like to redirect any browser that is using an old version of Java, Silverlight, Flash, etc to a "quarantine" page asking them to upgrade their browser before they are permitted to log in.

  • What technical changes do I need to make to accomplish this?

  • What Perfidies specific javascript objects must I become aware of?

  • Are there any deployment concerns or modifications I should make?

... ...

like image 392
makerofthings7 Avatar asked Feb 23 '12 04:02

makerofthings7

1 Answers

You should provide some more context to your question. I will try to help you though suggesting a way to do this.

You mentioned you want to disallow users to login, so I think the best way to do this is putting the validation code in the login page as a javascript include. Keep in mind since the script is executed on the client, there is no guarantee that it will really execute and an expert user can circumvent your "protection" by e.g. disabling scripting. But if you are in an intranet and generally trust your users, it shouldn't be a big problem.

To learn how to use Perfidies, I recommend you looking at the following file which you should be able to change to your needs (not tested!). https://github.com/ozten/Perfidies-of-the-Web/blob/master/plugincheck_ui.js

The main function to call seems to be Pfs.findPluginInfos(Pfs.UI.navInfo, browserPlugins, incrementalCallbackFn, finishedCallbackFn). In the incrementalCallbackFn you get all vulnerable plugins. If there exists one, you can redirect the browser to your page.

See the referenced page to see how to fill the other function-parameters.

Regarding deployment I would allow some way to skip this verification, because there are always cases in which you want to allow exceptional access. If your boss needs a report in 5 minutes you don't want to tell him that he has to update his java version first, just because there was an update yesterday which probably isn't even exploited yet.

So maybe show a big red warning for users trying to access the page, but give them a way to ignore the warning if they choose to...

like image 92
aKzenT Avatar answered Nov 02 '22 06:11

aKzenT
Sign in to Comment

Related questions

Get element's CSS selector (when it doesn't have an id)
Jquery/Javascript Setting the attribute value of a textfield
Object doesn't support property or method 'remove'
How to represent arrays within ember-data models?
Why does bitwise "not 1" equal -2?
How do I retrieve the contents of a Quill text editor
Conditional spread element
jQuery tooltip add line break
Regular Expression - Extract subdomain & domain
how to set active class to nav menu from twitter bootstrap
Clear form after submission with jQuery
Detecting data changes in forms using jQuery
arrow function syntax (=>)' is only available in ES6 (use 'esversion: 6')
jQuery Chosen plugin without search field
Get index of a key in json
Javascript - Initialize array with nulls
What is returned from a constructor?
round to nearest .25 javascript
Tool to reverse Javascript minify? [duplicate]
Is it possible to emulate non-enumerable properties?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!