diff --git a/.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png b/.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png new file mode 100644 index 000000000..02577ce02 Binary files /dev/null and b/.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png differ diff --git a/.gitbook/assets/image (434).png b/.gitbook/assets/image (434).png new file mode 100644 index 000000000..9de62599a Binary files /dev/null and b/.gitbook/assets/image (434).png differ diff --git a/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps.md b/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps.md index f683e3e45..a75168182 100644 --- a/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps.md +++ b/pentesting/pentesting-web/xss-to-rce-electron-desktop-apps.md @@ -1,4 +1,48 @@ # XSS to RCE Electron Desktop Apps -Recommended read: [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1) +Recommended read for more trick: [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1) + +When I test Electron app, first I always check the options of the [BrowserWindow API](https://www.electronjs.org/docs/api/browser-window), which is used to create a browser window. By checking it, I think about how RCE can be achieved when arbitrary JavaScript execution on the renderer is possible. +Example: + +```text +const mainWindowOptions = { + title: 'Discord', + backgroundColor: getBackgroundColor(), + width: DEFAULT_WIDTH, + height: DEFAULT_HEIGHT, + minWidth: MIN_WIDTH, + minHeight: MIN_HEIGHT, + transparent: false, + frame: false, + resizable: true, + show: isVisible, + webPreferences: { + blinkFeatures: 'EnumerateDevices,AudioOutputDevices', + nodeIntegration: false, + preload: _path2.default.join(__dirname, 'mainScreenPreload.js'), + nativeWindowOpen: true, + enableRemoteModule: false, + spellcheck: true + } +}; +``` + +## nodeIntgration RCE + +If the nodeIntegration is set to true, a web page's JavaScript can use Node.js features easily just by calling the `require()`. For example, the way to execute the calc application on Windows is: + +```text + +``` + +## Read Arbitrary Internal FIle + +If contextIsolation set to false you can try to use <webview> \(similar to <iframe> butcan load local files\) to read local files and exfiltrate them: using something like **<webview src=”file:///etc/passwd”></webview>:** + +![](../../.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png) + +**\(Trick copied form** [**here**](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)**\).**