November 17, 2005 – 12:13 am
The first “complete” release of my Kiosk Browser application is now ready to be used.
As before, I’m really curious if any of you “security minded” individuals out there can help me think of ways to break this. The basic concept is to allow a computer to be used in a public space for only surfing a limited set of pages and nothing else. There is the assumption that the box itself is locked up, so only the keyboard, mouse, and video is physically available to the user.
I’ve put in a lot of features that are designed to keep the user from doing anything on the system other than surfing the allowed pages within the browser. Some notable highlights include:
- Password required to close the browser
- Limiting browser navigation based on a set of allowed DNS names, as well as pattern restrictions applied to the URL
- Disabling CTRL+ALT+DEL and other key combinations that would normally allow an application to be closed or switched
- Disabling a lot of standard browser functions (right-click, etc)
- Automatically killing any new windows opened
- The ability to load in a completely separate desktop
- The ability to run the browser from the login screen, *without requiring (or allowing) any user to be logged in*.
As I said before, feel free to hammer on it or just theorize about how it may be possible to circumvent these restrictions, so that I will be able to counter any such measures effectively. I think it’s pretty solid right now, but it’s always possible that I’m overlooking something else.
February 18, 2005 – 5:20 pm
I’m debating with myself on whether I should release the Kiosk Browser as open source software (probably on sourceforge.net) or whether I should hold off and possibly try to make some money off of it.
What do you think?
February 18, 2005 – 4:54 pm
The shiny new version of the Kiosk Browser is now available for download.
This was originally announced here, and I recently posted (here) about some bugs which allowed the users to break out of the kiosk mode restrictions.
Now that those are all fixed, the new app is ready for another round of testing. That’s where you, the loyal readers of this blog come in, and try it out (if you’re interested). I’m specifically looking to see whether anyone can “get out” of the kiosk mode when all the restrictions are enabled.
Also, Dan: this is ready to be installed on the Bridge kiosks whenever you get the chance.
February 6, 2005 – 5:20 pm
I have to give credit to DaveZ here, who uncovered an issue in the Kiosk browser (mentioned previously here) which allows the user to get out to a new window. That’s what I get for not really testing it myself much at all. (Although I will say that it’s possible to prevent this specific one if you only allow access to specific pages, and make sure those pages do not contain this vulnerability).
I will plan to fix this today, as well as a couple others I’ve uncovered on my own. I’ll let everyone know how it goes. When the new version is ready, anyone who wants to test it more (and finds a way to get “past it”) will be given credit in the app (along with DaveZ) as a “security tester”.
January 30, 2005 – 5:24 pm
Here is an app I made recently that’s now ready to be released. I would appreciate if anyone would take the time to try to break or “hack” it, if you can.
It’s supposed to lock the user out of any other area on the computer once the kiosk browser is launched, until the correct password is entered or a “hard” reboot is performed (which assumes physical access to the PC). Thanks for any help you can provide!
Kiosk Browser 1.0 - (click for more details and to download)
This application is designed for use in a “kiosk” environment, where the user will have restricted access to only the browser itself, and (optionally) only restricted sites within that browser.
While the browser is loaded, the user will not have access to the desktop, any other applications, or any other part of the system whatsoever.
Special keys which could otherwise be used to get around this restriction (such as ALT+TAB, CTRL+ALT+DEL, CRTL+SHIFT+ESC, etc.) are disabled while the browser is loaded.