Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Electron is a browser based development platform for Desktop applications. It uses NodeJs in order to program the entire thing. As such, being able to execute JavaScript in the context of the application means arbitrary NodeJs code and not just JavaScript.

While looking for XSS and HTML Injection, he found it pretty quickly (just added bold tags). However, with a clean CSP (Content Security Policy) all of the XSS payloads were blocked.

The CSP had a single flaw though: it allowed JS from all S3 buckets via a wildcard subdomain. This meant that JS was trivial to include by adding it to an S3 bucket.

After using another trick (iFrame src doc attribute to execute JS) the payload still did not work. The developers had done some odd changing of require to allow Angular to work in this context. Once figuring this out, a small change to the payload made RCE via a bad message possible.

However, this gets worse! The application had an open redirect vulnerability, even within the custom URI handler. By combining the open redirect (with the custom URI scheme) it was possible to have a single click of a URL lead to RCE.

How this would work was the following:

1. User clicks on link to custom URI
2. User (on the native application) is redirected via the open redirect
3. The newly loaded page uses the XSS to get RCE

Now, RCE has been achieved by clicking on a single link!

As a final note, the debugging was interesting too. Electron has devtools installed on the application, making source code very nice to read. In this case, the devtools had custom shortcuts though.