Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis

Journal Title: Informatics - Year 2018, Vol 5, Issue 4

Abstract

Writing desktop applications in JavaScript offers developers the opportunity to create cross-platform applications with cutting-edge capabilities. However, in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime—an increasingly popular server-side technology. By bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. This paper also exposes fifteen highly popular Electron applications and demonstrates that two-thirds of applications were found to be using known vulnerable elements with high CVSS (Common Vulnerability Scoring System) scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed.

Authors and Affiliations

Adam Rapley, Xavier Bellekens, Lynsay A. Shepherd and Colin McLean

Keywords

Related Articles

Evaluating Awareness and Perception of Botnet Activity within Consumer Internet-of-Things (IoT) Networks

The growth of the Internet of Things (IoT), and demand for low-cost, easy-to-deploy devices, has led to the production of swathes of insecure Internet-connected devices. Many can be exploited and leveraged to perform l...

Web-Based Scientific Exploration and Analysis of 3D Scanned Cuneiform Datasets for Collaborative Research

The three-dimensional cuneiform script is one of the oldest known writing systems and a central object of research in Ancient Near Eastern Studies and Hittitology. An important step towards the understanding of the cun...

Improving the Classification Efficiency of an ANN Utilizing a New Training Methodology

In this work, a new approach for training artificial neural networks is presented which utilises techniques for solving the constraint optimisation problem. More specifically, this study converts the training of a neur...

On Ensemble SSL Algorithms for Credit Scoring Problem

Credit scoring is generally recognized as one of the most significant operational research techniques used in banking and finance, aiming to identify whether a credit consumer belongs to either a legitimate or a suspic...

Convolutional Neural Networks for Human Activity Recognition Using Body-Worn Sensors

Human activity recognition (HAR) is a classification task for recognizing human movements. Methods of HAR are of great interest as they have become tools for measuring occurrences and durations of human actions, which...

Download PDF file
  • EP ID EP44154
  • DOI https://www.mdpi.com/2227-9709/5/4/46/pdf
  • Views 251
  • Downloads 0

How To Cite

Adam Rapley, Xavier Bellekens, Lynsay A. Shepherd and Colin McLean (2018). Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis. Informatics, 5(4), -. https://europub.co.uk/articles/-A-44154