1

Background about my app

I have a browser macro-recording app built with Selenium. Basically users can use Firefox like normal and record their actions into macros to replay.

Question

In Selenium, I can only download files if I whitelist the mime type. I've found a large txt of mime types here. To make my automated browser as functional as possible, I'm thinking I can just whitelist all of them.

If I do this, then whenever my browser wants to download something it will not prompt for confirmation and will immediately download it to a pre-determined location.

I'm wondering if whitelisting all mime-types will make my macro-recorder less secure than Firefox would otherwise be. I.e. is there any malicious behavior this opens me up to? I recognize that somebody could download a malicious script as an executable and I could be tricked into opening it. I like to think I would be careful enough not to do this, so for the sake of this question I'm asking about other cases.

max pleaner
  • 131
  • 5
  • I can tell you from my own automated browser experience that not really - you can just save them all into folders. It's not like with email that every attachment has to be scanned during delivery and during viewing of the email (client and server-side). The maturity of Firefox and Chrome is pretty much high so it poses very little risk like overwriting files which was the case with Outlook scripts (which then run VBS outside Outlook which then installed malware in Windows). With browser download the risk is a lot lower, especially if it comes specifically to downloading files and not JS. – Aria Aug 03 '16 at 20:22
  • Missing info: what operating system this is running on? Is it running anti-virus? If this is WIndows and anti-virus is intercepting all file open system calls, the attack surface will be much larger than "firefox + selenium" (See for example: https://www.engadget.com/2016/06/29/google-symantec-antivirus-flaws-are-as-bad-as-it-gets/ ). Anyway, running this inside a container rather than directly on the host, is the way to go if you want to be really safe, even vs zero-day issues. – arielf Aug 03 '16 at 22:57
  • Thanks for the helpful comments. I did forget to say my OS. This is Ubuntu running in a virtualized chroot on top of ChromeOS. The selenium is being run "headlessly" so this program can work on any Ubuntu server at the moment. – max pleaner Aug 04 '16 at 00:04

0 Answers0