diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md index eed5fe35f5d..a56921fa2e7 100644 --- a/src/pentesting-web/web-vulnerabilities-methodology.md +++ b/src/pentesting-web/web-vulnerabilities-methodology.md @@ -68,6 +68,24 @@ When a reflection bug lands in a **modern SPA**, spend a few extra minutes on th For deeper exploitation ideas, check [Abusing Service Workers](xss-cross-site-scripting/abusing-service-workers.md), [WebAssembly linear memory corruption to DOM XSS](xss-cross-site-scripting/wasm-linear-memory-template-overwrite-xss.md), and [Code Review Tooling](../network-services-pentesting/pentesting-web/code-review-tools.md). +#### File System Access API: browser-native file read/write abuse + +Chromium-family browsers expose **`showOpenFilePicker()`**, **`showSaveFilePicker()`**, and **`showDirectoryPicker()`** to trusted pages in a **secure context** and after a **user gesture**. If a target web app, phishing lure, or malicious dependency can convince the user to approve a directory with **readwrite** access, the page can operate on the selected files **without dropping a native payload**. + +Practical abuse patterns: + +- Enumerate the selected directory with **`for await (const [name, handle] of dirHandle.entries())`** or `values()`, recurse into subdirectories, and filter by extension/MIME. +- Read file contents with **`handle.getFile()`** and `text()`, `arrayBuffer()`, or `stream()`, then exfiltrate through `fetch`, XHR, or `sendBeacon`. +- Overwrite files with **`createWritable()`** after a `queryPermission()` / `requestPermission({mode: 'readwrite'})` flow. This is the primitive that enables **browser-native ransomware** or destructive tampering. +- Check **IndexedDB** for serialized `FileSystemFileHandle` / `FileSystemDirectoryHandle` objects because legitimate apps often persist handles and later reuse them after `queryPermission()` / `requestPermission()` checks. +- Review the UX around picker prompts: fake **AI upscalers**, editors, and media tools can plausibly ask for an input file first and an **output folder** second, making the write warning look legitimate. + +Important boundaries: + +- This is **not arbitrary disk access**. Chromium blocks or constrains many sensitive locations, but user-chosen media folders can still be high-value targets. In recent public research, **Pictures**, **Videos**, and Android **`DCIM`** roots were practical lure targets. +- A normal web page still cannot become native malware: global keylogging, arbitrary desktop screenshots, and OS persistence remain outside the browser sandbox unless another vulnerability is present. The real primitive is **user-approved local file read/write**. +- Browser support is concentrated in **Chromium**. Chrome shipped the API on desktop in **Chrome 86** and extended it to **Android/WebView in Chrome 132**; Firefox and Safari do not expose the same picker methods. + ### **Search functionalities** If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data. @@ -259,6 +277,11 @@ Modern applications extend into browsers, wallets, and automation pipelines—ke - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/) - [Hijacking service workers via DOM Clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering) - [Security advisory: Passkey Dialog Clickjacking Issue](https://support.dashlane.com/hc/en-us/articles/28598967624722-Security-advisory-Passkey-Dialog-Clickjacking-Issue) +- [Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique](https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique/) +- [File System Access specification](https://wicg.github.io/file-system-access/) +- [The File System Access API: simplifying access to local files](https://developer.chrome.com/docs/capabilities/web-apis/file-system-access) +- [Chrome 132 release notes](https://developer.chrome.com/release-notes/132) +- [RøB: Ransomware over Modern Web Browsers](https://www.usenix.org/conference/usenixsecurity23/presentation/oz) {{#include ../banners/hacktricks-training.md}}