Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis

11/14/2018
by   Adam Rapley, et al.
0

Writing desktop applications in JavaScript offers developers the opportunity to write cross-platform applications with cutting edge capabilities. However in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime --- an increasingly popular server-side technology. In bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. The paper also exposes fifteen highly popular Electron applications and demonstrates that two thirds of applications were found to be using known vulnerable elements with high CVSS scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
08/11/2020

Code-based Vulnerability Detection in Node.js Applications: How far are we?

With one of the largest available collection of reusable packages, the J...
research
06/12/2020

Exploiting ML algorithms for Efficient Detection and Prevention of JavaScript-XSS Attacks in Android Based Hybrid Applications

The development and analysis of mobile applications in term of security ...
research
05/13/2019

Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case

Comprehensive case studies on malicious code mostly focus on botnets and...
research
10/27/2021

Stubbifier: Debloating Dynamic Server-Side JavaScript Applications

JavaScript is an increasingly popular language for server-side developme...
research
07/22/2022

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Prototype pollution is a dangerous vulnerability affecting prototype-bas...
research
05/14/2020

DjangoChecker: Applying Extended Taint Tracking and Server Side Parsing for Detection of Context-Sensitive XSS Flaws

Cross-site scripting (XSS) flaws are a class of security flaws that perm...
research
03/28/2017

RootJS: Node.js Bindings for ROOT 6

We present rootJS, an interface making it possible to seamlessly integra...

Please sign up or login with your details

Forgot password? Click here to reset