Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Discord is an extremely popular chat application using in gaming, but is starting to grow into other industries. The Desktop application uses Electron, a cross-platform JavaScript and Chromium based project.

Because the WHOLE thing is built on top of JavaScript and NodeJS, the consequences of XSS (JavaScript injection into the application) go from bad to RCE pretty quickly. This lack of isolation can be exploited in many ways, which is discussed in this write up.

There are two main settings that dictate if integration should be allowed in JS: nodeIntegration and contextIsolation. In this case, nodeIntregration was off (safe setting) and contextIsolation was off (unsafe setting). While the author could not directly call nodejs functionality for RCE, there was a work around!

With contextIsolation disabled, a web page's JavaScript can affect the execution of the internal JavaScript code renderer! So, still a chance for RCE! :) A few called out items were Electron Preload Scripts and other functions with the Electron app.

With the sandbox escape out of the way, how about an XSS? Using the built-in Markdown functionality, it was possible to load in content from a strict list of URLs into an iFrame. So, XSS on these URLs means XSS on the Discord app! From two of these URLs, the author found XSS.

Game over right? Well, because the content was in an iFrame and the content SHOULD be restricted by Electron. However, even though there was a check for going up to the next window, it still worked! This resulted in a CVE for Electron itself, oddly enough.

Overall, fairly good write up! It is always awesome to see so many bugs chained together, especially when a 0-day in a popular kit is found.