threat-modeling.md

Threat Model Analysis for hakimel/reveal.js

Threat: Malicious Plugin Execution

• Threat: Malicious Plugin Execution
  • Description: An attacker convinces a presentation author to install a malicious reveal.js plugin, or exploits a vulnerability in a legitimate plugin to inject malicious code. The attacker's code could then steal data, manipulate the presentation, or attack the viewer's browser. This is a direct threat because reveal.js's plugin system is the attack vector.
  • Impact:
    • Data breach (presentation content, speaker notes).
    • Presentation defacement or manipulation.
    • Client-side attacks (XSS, drive-by downloads).
    • Loss of user trust.
  • Affected Component: Plugin system (Reveal.registerPlugin, plugin loading mechanism).
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Plugin Vetting: Only install plugins from trusted sources (official reveal.js plugins, reputable developers). Carefully review plugin code before installation.
    • Regular Updates: Keep all plugins updated to the latest versions to patch known vulnerabilities.
    • Content Security Policy (CSP): Implement a strict CSP to limit the capabilities of plugins (e.g., restrict network access, prevent inline script execution). This is crucial for mitigating malicious plugin actions.
    • Sandboxing: If possible, run plugins in a sandboxed environment (e.g., using iframes with the sandbox attribute) to limit their access to the main presentation context.
    • Least Privilege: Configure plugins with the minimum necessary permissions.

Threat: postMessage API Exploitation

• Threat: postMessage API Exploitation
  • Description: If reveal.js or a plugin uses the postMessage API insecurely, an attacker could send crafted messages to the presentation, potentially triggering unintended actions or exploiting vulnerabilities in the message handling logic. This is a direct threat if reveal.js's own use of postMessage, or a plugin's use facilitated by reveal.js, is flawed.
  • Impact:
    • Presentation manipulation.
    • Data leakage.
    • Execution of arbitrary code (if the message handler is vulnerable).
  • Affected Component: Any component (core reveal.js or plugins) that uses the postMessage API (e.g., window.postMessage, message event listeners).
  • Risk Severity: High (if postMessage is used, and used insecurely)
  • Mitigation Strategies:
    • Origin Validation: Always validate the origin property of incoming postMessage events. Only process messages from trusted origins. This is the primary defense.
    • Data Validation: Sanitize and validate the data property of incoming messages. Do not blindly trust the content of the message.
    • Specific Target Origin: When sending messages, use a specific target origin (rather than *) to prevent the message from being intercepted by other applications.
    • Code Review: Carefully review any code (especially within reveal.js or its plugins) that uses postMessage to ensure it is implemented securely.

Threat: Multiplexing Control Hijack

• Threat: Multiplexing Control Hijack
  • Description: If the reveal.js multiplexing feature is used, an attacker gains access to the master presentation or the multiplexing secret, allowing them to control the presentation displayed to other viewers. This is a direct threat because it targets a specific reveal.js feature.
  • Impact:
    • Presentation hijacking.
    • Display of unauthorized content.
    • Disruption of the presentation.
  • Affected Component: Multiplexing feature (socket.io communication, master/client roles).
  • Risk Severity: High (if multiplexing is used)
  • Mitigation Strategies:
    • Strong Secret: Use a strong, randomly generated secret for the multiplexing feature. This is the most important mitigation.
    • Access Control: Restrict access to the master presentation. Only authorized users should be able to control it.
    • Network Security: Ensure the network used for multiplexing is secure (e.g., a private network, VPN).
    • HTTPS: Serve both the master and client presentations over HTTPS.