Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Desktop application has a localhost application that can be communicated through web sockets. Web sockets do not follow the Same Origin Policy (SOP) so data can be altered and returned from this location arbitrarily. An attacker can have their website loaded and talk to the application because of this.

The second issue is that the websocket communication line has a lot of control on what the Desktop app does. In particular, it can be used to open arbitrary sites on the Desktop Application.

Finally, PlayStation Now uses Electron. With the ability to load arbitrary websites into the Desktop App, this sounds like a disaster waiting to happen... well, it is.

Electron is based upon NodeJs. There is setting to disable NodeJs integration on the application; but it is not always set (in this case, it was not). So, by loading a malicious website, it can be used in order to run commands on the local system using Node.

Using these three issues together (lack of CSRF on webssockets, arbitrary URL load & Node Integration Turned On), a CSRF RCE was possible by simply visiting a malicious actors website.

Watch out for the SOP! It provides a lot of protection, but not on everything.