From 5649ea97fdb253f92b74e3231627e291bd2a6baf Mon Sep 17 00:00:00 2001 From: Najam Ul Saqib Date: Fri, 22 Nov 2024 17:53:45 +0500 Subject: [PATCH 1/2] add walkthrough --- README.md | 21 ++++++++++++++++----- walkthrough.md | 27 +++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 5 deletions(-) create mode 100644 walkthrough.md diff --git a/README.md b/README.md index cb405b3..bcbf02a 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,19 @@ # DVEA + ### NOTE: This App Is Vulnerable, DO NOT RUN IN PRODUCTION ENVIRONMENT + Damn Vulnerable ElectronJS App (DVEA) is a purposely built vulnerable ElectronJS app for developers and security engineer. It contains major vulnerabilities that are specific to ElectronJS environment. The app demonstrates a vulnerable to do list, following vulnerabilties are currently added to the app: + 1. Cross Site Scripting 2. XSS to RCE 3. Deep Links to XSS 4. Deep Links to RCE -- - - +--- ## WARNING! @@ -18,15 +21,19 @@ Damn Vulnerable Electron Application is damn vulnerable! **Do not upload it to y ### Disclaimer -I does not take responsibility for the way in which any one uses this application (DVEA). I have made the purposes of the application clear and it should not be used maliciously. I have given warnings and taken measures to prevent users from installing DVEA on to live servers. If your server is compromised via an installation of DVEA, it is not my responsibility, it is the responsibility of the person/s who uploaded and installed it. +I do not take responsibility for the way in which any one uses this application (DVEA). I have made the purposes of the application clear and it should not be used maliciously. I have given warnings and taken measures to prevent users from installing DVEA on to live servers. If your server is compromised via an installation of DVEA, it is not my responsibility, it is the responsibility of the person/s who uploaded and installed it. + +--- -- - - ### Download + Get your copy of DVEA from the github releases section here: https://github.com/njmulsqb/DVEA/releases/latest The binaries are available for Linux, MacOS and Windows. -- - - + +--- ### Running from source + ``` git clone https://github.com/njmulsqb/DVEA cd DVEA @@ -34,11 +41,15 @@ npm i electron . ``` + --- + ### Contributing + DVEA is always open for PRs! - + --- ### Credits + The app is built on https://github.com/CodeDraken/electron-todo diff --git a/walkthrough.md b/walkthrough.md new file mode 100644 index 0000000..bd79f98 --- /dev/null +++ b/walkthrough.md @@ -0,0 +1,27 @@ +Here's the brief walkthrough of security vulnerabilities in DVEA: + +# Cross-site Scripting + +A simple XSS payload of `` will do perform XSS on the application when put in the to-do item section + +# XSS to RCE + +To perform RCE via XSS, you need to import "shell" library and execute its `openPath` function using which you can execute commands on the system + +``` +Hover Me +``` + +# Deep-link to XSS + +The app is registered with a deep-link of `dvea://` which is used to add tasks to the app using deep link e.g. `dvea://task?add=Clean Your Room` which obviously can be fed with an XSS payload like `dvea://task?add=` when opened via browser. + +# Deep-link to RCE + +Now combining all the above attack vectors we can chain the deep link to achieve RCE using the same payload as in "XSS to RCE" when invoked via the deep link. From c1ecba0b389c139f5a8eb31fe7c94b19ef82a12c Mon Sep 17 00:00:00 2001 From: Najam Ul Saqib Date: Fri, 22 Nov 2024 17:58:07 +0500 Subject: [PATCH 2/2] update walkthrough --- README.md | 24 ++++++++++++++---------- walkthrough.md | 6 +++++- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index bcbf02a..ab3c8bc 100644 --- a/README.md +++ b/README.md @@ -15,16 +15,6 @@ The app demonstrates a vulnerable to do list, following vulnerabilties are curre --- -## WARNING! - -Damn Vulnerable Electron Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode. - -### Disclaimer - -I do not take responsibility for the way in which any one uses this application (DVEA). I have made the purposes of the application clear and it should not be used maliciously. I have given warnings and taken measures to prevent users from installing DVEA on to live servers. If your server is compromised via an installation of DVEA, it is not my responsibility, it is the responsibility of the person/s who uploaded and installed it. - ---- - ### Download Get your copy of DVEA from the github releases section here: https://github.com/njmulsqb/DVEA/releases/latest @@ -44,6 +34,20 @@ electron . --- +### Walkthrough + +The walkthrough of this app can be seen at [walkthrough.md](./walkthrough.md) + +--- + +## WARNING! + +Damn Vulnerable Electron Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode. + +### Disclaimer + +I do not take responsibility for the way in which any one uses this application (DVEA). I have made the purposes of the application clear and it should not be used maliciously. I have given warnings and taken measures to prevent users from installing DVEA on to live servers. If your server is compromised via an installation of DVEA, it is not my responsibility, it is the responsibility of the person/s who uploaded and installed it. + ### Contributing DVEA is always open for PRs! diff --git a/walkthrough.md b/walkthrough.md index bd79f98..514d2a8 100644 --- a/walkthrough.md +++ b/walkthrough.md @@ -24,4 +24,8 @@ The app is registered with a deep-link of `dvea://` which is used to add tasks t # Deep-link to RCE -Now combining all the above attack vectors we can chain the deep link to achieve RCE using the same payload as in "XSS to RCE" when invoked via the deep link. +Now combining all the above attack vectors we can chain the deep link to achieve RCE using the same payload as in "XSS to RCE" when invoked via the deep link, the payload will look something like + +``` +dvea://task?add=Hover Me +```