mindedsecurity / behave Goto Github PK

I am not entirely sure if this is a bug or intented behaviour, but Behave! detects sites accessing resources from IPFS when using a local gateway (IPFS Desktop and IPFS Companion) and I think there should possibly be an option to whitelist it as it's the expected behaviour of IPFS Companion.

Example steps:

1. Install IPFS Desktop from https://github.com/ipfs-shipyard/ipfs-desktop/releases/
2. Install IPFS Companion (browser-extension) from https://addons.mozilla.org/firefox/addon/ipfs-companion/ or https://chrome.google.com/webstore/detail/ipfs-companion/nibjojkomfdiaoajekhjakgkdhaomnch
3. Select IPFS Companion from browser toolbar and click on "Go To My Node" and Behave! will warn about access to 127.0.0.1:5001 (IPFS default API port).
4. Alternatively visit a webiste such as mine, https://mikaela.info/, which fetches resources (in my case my avatar and favicon) from IPFS and Behave! warns about mikaela.info accessing 127.0.0.1:8080 (default IPFS Gateway port).
   • when the user isn't using IPFS Companion and IPFS Desktop/daemon, the site currently makes requests to ipfs.dweb.link instead. The purpose of IPFS Companion is to redirect the request to local gateway instead of a public one.

Please make a XPI file for this addon because I cannot install it on Basilisk browser
I have tried to copy paste the XPI file from Firefox extensions folder but it seems not to be supported.
maybe I am wrong and I should first contact the person behind Basilisk @mattatobin

Describe the bug
I have defined a proxy that uses an rfc1918 address (configured via addon foxyproxy but that is probably not relevant)
now every website I access (including mindedsecurity.com ...) is flagged as accessing private IPs

Desktop (please complete the following information):

• OS: Linux
• Browser Firefox
• Version 78.0.1

To Reproduce
Steps to reproduce the behavior:

1. Configure a proxy, for example squid on the same host or another in the local LAN
2. Define the proxy host /port in firefox or via an addon such as foxyproxy
3. Access any website
4. The arbitrary site is flagged accessing a local IP which is the proxy port

Please note foxyproxy allows different proxies for different (parts of) websites (hosted on different domains), so actually I see two local IPs being accessed, the one for a squid proxy and the other for a polipo / tor proxy.

Expected behavior

It should potentially be possible to detect a proxy (or more) is (are) being configured an internally whitelist that (those) host / port (s).

Screenshots
n/a

Additional context
n/a

Greetings

Thanks for your work with this extension!

I'd like to make one suggestion please:
to consider adding another column with the timestamps of each log entry,
and group(by the common host) the consecutive entries as a single collapsible entry (as a distinct "event").

This is what I have in mind (based on the main page screenshot):

Target IP:Port     Target Host                 From Host      Timestamp
127.0.5.1:43534    127.0.5.1                   at.tack.er     21:00:00
127.0.5.1:43534    127.0.5.1                   at.tack.er     21:00:00
127.0.5.1:http:    project.127.0.5.1.xip.io    at.tack.er     21:00:00
127.0.5.1:43534    127.0.5.1                   at.tack.er     21:00:01
127.0.5.1:http:    project.127.0.5.1.xip.io    at.tack.er     21:00:01
127.0.130.1:http:  project.127.0.130.1.xip.io  at.tack.er     21:00:01

which collapsed would become:

Target IP:Port     Target Host                 From Host      Timestamp
     1 event/6 entries                         at.tack.er     21:00:00
          \/                                       \/            \/

This would make the logs easier to scan.

Thank you

Hello. First and foremost, I really like this extension, so good job.

As I tried to use this extension in my everyday browser, I identified the need to be able to disable it in certain pages, since it becomes impossible to use in development environments (localhost).

Thanks!

In the logs tab, after a DNS Rebinding attack, the initiator host is overwritten with the latest request initiator.

Firefox from time to time seems to not populate details.ip and sets it to null.
Chrome/Chromium, so far, has always set details.ip.

https://github.com/mindedsecurity/behave/blob/master/background.js#L481

chrome.webRequest.onResponseStarted.addListener(function (details) {
  if (shouldMonitor()) {
    const requestInfo = requestMap[details.requestId];
    if (details.tabId !== -1 && requestInfo) {
      debuglog(details, requestInfo);

      maybeRebinding(details.ip, requestInfo);
[...]

This might lead to False Positives or False Negatives on Firefox - and maybe Edge too.

When hitting reset button, hostname data collected is not reset to an empty object resulting Behave to keep alerting about DNS Rebinding.

hi
on firefox regarded i have notifications enabled i dont get any notification tested with the websites you recomend but nothing pop ups.

Describe the bug

I opened Edge today and was given a prompt that an extension has been disabled for being malware and going to extensions says that it has been removed from Chrome Web Store due to being untrusted.

Tämä laajennus on poistettu käytöstä, koska Chrome Web Store on merkinnyt sen epäluotettavaksi.

The extension link is also 404 error.

Desktop (please complete the following information):

• OS: Fedora 35
• Browser: Microsoft Edge
• Version: 98.0.1108.43 (Virallinen koontiversio) (64-bittinen)

To Reproduce

N/A

Expected behavior

Not being detected as malware.

Screenshots

N/A

Additional context

N/A

Hey there,
apps like pgAdmin hosted locally trigger the portscanning and rebind monitoring (Tested in firefox, dont know about chrome).

Portscan log:

DNS Rebind log:

I don't know if this expected behaviour, but either disabling the monitoring for localhost or allowing the user to manage a whitelist would prob. mitigate this problem.

Please add locale support for translating to other languages.

This addon is great for anyone who is not using a hosts file or some other router host based blocker, which results in false positives cluttering this addon's logs, please consider adding an option to disable individual scanning components to help alleviate false positives... and please consider adding ability to whitelist specific ips to eliminate false positives.

Due to the lack of limit of the locally collected data when the popup is opened a table is created according to the data list, resulting in rendering delays which would eventually block the popup, making the extension unusable.

Sigh. In title: flag, not flab.

Firefox 82.0.2 and several previous versions.
Windows 10 Pro 1909
Behave! 0.9.7.1

There's never been that little red alert flag for the toolbar icon as shown in the screenshot at addons.mozilla.

Thanks for Behave!