Next Article in Journal
Improving the Classification Efficiency of an ANN Utilizing a New Training Methodology
Previous Article in Journal
Domain-Specific Aspect-Sentiment Pair Extraction Using Rules and Compound Noun Lexicon for Customer Reviews
Article

Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis

School of Design and Informatics, Abertay University, Dundee DD1 1HG, UK
*
Author to whom correspondence should be addressed.
Informatics 2018, 5(4), 46; https://doi.org/10.3390/informatics5040046
Received: 17 September 2018 / Revised: 26 November 2018 / Accepted: 11 December 2018 / Published: 17 December 2018
Writing desktop applications in JavaScript offers developers the opportunity to create cross-platform applications with cutting-edge capabilities. However, in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime—an increasingly popular server-side technology. By bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. This paper also exposes fifteen highly popular Electron applications and demonstrates that two-thirds of applications were found to be using known vulnerable elements with high CVSS (Common Vulnerability Scoring System) scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed. View Full-Text
Keywords: JavaScript; Node.js; security vulnerabilities; arbitrary code execution; post-exploitation JavaScript; Node.js; security vulnerabilities; arbitrary code execution; post-exploitation
Show Figures

Figure 1

MDPI and ACS Style

Rapley, A.; Bellekens, X.; Shepherd, L.A.; McLean, C. Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis. Informatics 2018, 5, 46. https://doi.org/10.3390/informatics5040046

AMA Style

Rapley A, Bellekens X, Shepherd LA, McLean C. Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis. Informatics. 2018; 5(4):46. https://doi.org/10.3390/informatics5040046

Chicago/Turabian Style

Rapley, Adam, Xavier Bellekens, Lynsay A. Shepherd, and Colin McLean. 2018. "Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis" Informatics 5, no. 4: 46. https://doi.org/10.3390/informatics5040046

Find Other Styles
Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Article Access Map by Country/Region

1
Back to TopTop