About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Rocket.Chat Client-side Remote Code Execution- 714

SSDPosted 4 Years Ago
  • Rocket Chat is an open source variation of Slack; a team based messaging service with many collaboration tools built in. Rocket Chat has a desktop application built on Electron.
  • Rocket Chat has a desktop application that allows for same host navigation. This means that any link to the same host will be opened in the desktop application itself. By itself, this is not a problem. But, what if we can get something we control to be opened in Electron?
  • Rocket Chat allows users to open files to locations such as S3, GCloud and other places. By using the URI redirect that goes to an uploaded file with JavaScript, the code will be executed within the application!
  • Since the line between client-side JavaScript and desktop programming is quite blurred with Electron, this XSS gives access to the host! Using this, files, passwords or whatever the attacker wants could be stolen from the desktop application.
  • Electron apps are hard to lock down. Developers need to be careful with XSS and redirects specifically.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed