Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions src/pentesting-web/web-vulnerabilities-methodology.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,24 @@ When a reflection bug lands in a **modern SPA**, spend a few extra minutes on th

For deeper exploitation ideas, check [Abusing Service Workers](xss-cross-site-scripting/abusing-service-workers.md), [WebAssembly linear memory corruption to DOM XSS](xss-cross-site-scripting/wasm-linear-memory-template-overwrite-xss.md), and [Code Review Tooling](../network-services-pentesting/pentesting-web/code-review-tools.md).

#### File System Access API: browser-native file read/write abuse

Chromium-family browsers expose **`showOpenFilePicker()`**, **`showSaveFilePicker()`**, and **`showDirectoryPicker()`** to trusted pages in a **secure context** and after a **user gesture**. If a target web app, phishing lure, or malicious dependency can convince the user to approve a directory with **readwrite** access, the page can operate on the selected files **without dropping a native payload**.

Practical abuse patterns:

- Enumerate the selected directory with **`for await (const [name, handle] of dirHandle.entries())`** or `values()`, recurse into subdirectories, and filter by extension/MIME.
- Read file contents with **`handle.getFile()`** and `text()`, `arrayBuffer()`, or `stream()`, then exfiltrate through `fetch`, XHR, or `sendBeacon`.
- Overwrite files with **`createWritable()`** after a `queryPermission()` / `requestPermission({mode: 'readwrite'})` flow. This is the primitive that enables **browser-native ransomware** or destructive tampering.
- Check **IndexedDB** for serialized `FileSystemFileHandle` / `FileSystemDirectoryHandle` objects because legitimate apps often persist handles and later reuse them after `queryPermission()` / `requestPermission()` checks.
- Review the UX around picker prompts: fake **AI upscalers**, editors, and media tools can plausibly ask for an input file first and an **output folder** second, making the write warning look legitimate.

Important boundaries:

- This is **not arbitrary disk access**. Chromium blocks or constrains many sensitive locations, but user-chosen media folders can still be high-value targets. In recent public research, **Pictures**, **Videos**, and Android **`DCIM`** roots were practical lure targets.
- A normal web page still cannot become native malware: global keylogging, arbitrary desktop screenshots, and OS persistence remain outside the browser sandbox unless another vulnerability is present. The real primitive is **user-approved local file read/write**.
- Browser support is concentrated in **Chromium**. Chrome shipped the API on desktop in **Chrome 86** and extended it to **Android/WebView in Chrome 132**; Firefox and Safari do not expose the same picker methods.

### **Search functionalities**

If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
Expand Down Expand Up @@ -259,6 +277,11 @@ Modern applications extend into browsers, wallets, and automation pipelines—ke
- [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/)
- [Hijacking service workers via DOM Clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
- [Security advisory: Passkey Dialog Clickjacking Issue](https://support.dashlane.com/hc/en-us/articles/28598967624722-Security-advisory-Passkey-Dialog-Clickjacking-Issue)
- [Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique](https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique/)
- [File System Access specification](https://wicg.github.io/file-system-access/)
- [The File System Access API: simplifying access to local files](https://developer.chrome.com/docs/capabilities/web-apis/file-system-access)
- [Chrome 132 release notes](https://developer.chrome.com/release-notes/132)
- [RøB: Ransomware over Modern Web Browsers](https://www.usenix.org/conference/usenixsecurity23/presentation/oz)

{{#include ../banners/hacktricks-training.md}}