Next Article in Journal
Improving the Classification Efficiency of an ANN Utilizing a New Training Methodology
Previous Article in Journal
Domain-Specific Aspect-Sentiment Pair Extraction Using Rules and Compound Noun Lexicon for Customer Reviews
Article Menu

Export Article

Open AccessArticle
Informatics 2018, 5(4), 46; https://doi.org/10.3390/informatics5040046

Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis

School of Design and Informatics, Abertay University, Dundee DD1 1HG, UK
*
Author to whom correspondence should be addressed.
Received: 17 September 2018 / Revised: 26 November 2018 / Accepted: 11 December 2018 / Published: 17 December 2018
  |  
PDF [515 KB, uploaded 17 December 2018]
  |  

Abstract

Writing desktop applications in JavaScript offers developers the opportunity to create cross-platform applications with cutting-edge capabilities. However, in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime—an increasingly popular server-side technology. By bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. This paper also exposes fifteen highly popular Electron applications and demonstrates that two-thirds of applications were found to be using known vulnerable elements with high CVSS (Common Vulnerability Scoring System) scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed. View Full-Text
Keywords: JavaScript; Node.js; security vulnerabilities; arbitrary code execution; post-exploitation JavaScript; Node.js; security vulnerabilities; arbitrary code execution; post-exploitation
Figures

Figure 1

This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).
SciFeed

Share & Cite This Article

MDPI and ACS Style

Rapley, A.; Bellekens, X.; Shepherd, L.A.; McLean, C. Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis. Informatics 2018, 5, 46.

Show more citation formats Show less citations formats

Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Related Articles

Article Metrics

Article Access Statistics

1

Comments

[Return to top]
Informatics EISSN 2227-9709 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top