It never is just a button: concerns when running code in someone else's computer
— "There was a button", Holden said. "I pushed it."
— Jesus Christ. That really is how you go through life, isn't it?
Introduction
Ever since JavaScript was introduced, we have had concerns with security issues leading to the current patchwork of rules, headers and sandbox that browsers have had to implement reactively. After billions of dollars invested, we have billions of devices running the best sandbox ever which is Chromium's V8. But will that ever be enough? Will this cat and mouse game ever end? If not, why?
POC - What's The Hello World of RCE vulnerabilities
In programming, we have the "Hello World" as the canonical example of a first working program. In electronics, the equivalent is to make an LED blink. In the context of web security, what's the equivalent Remote Code Execution?
MVP - Blink Bookmarklet
Have you heard of bookmarklets? If not, they're pretty cool remainders of the early web, as you'll see. If you're in a desktop browser, just drag this Hello World link to your bookmarks bar and add it as a new bookmark, please:
Like this:
Now as the proverbial lyrical self in the Albanian Virus meme, kindly click it, please. This was the code the user was induced to run within a secure context, just kind of obfuscated through the bookmarklet maker:
What's the catch?
Admittedly, that doesn't sound so impressive. Let's try to make a very barebones Command and Control server and client with this technique.
What did you think of this post?