Web2Own: Attacking Desktop Apps From Web Security's Perspective

Attacking desktop applications using web security tricks is a non-competitive 'blue ocean' and can be done reliably with less effort. The presentation focuses on design misconceptions and implementation mistakes in desktop applications, sharing representative lessons to help developers improve the security of their products.

• Desktop applications are increasingly using hybrid technologies, making them vulnerable to web security attacks
• Attack surfaces include open ports, URI schemes, and application features
• Bypassing the same origin policy can be done through port binding
• Real-world examples include chaining multiple vulnerabilities to achieve RCE in a specialized IDE, sensitive file leaking in famous editors, and privileged APIs abusing in many IM applications
• Popular libraries may have flaws that affect more applications than demonstrated in the talk
• Desktop application developers often lack web security knowledge, making them vulnerable to attacks

The speaker explains how they were able to pop up a calculator using web security knowledge, without needing to reverse engineer a binary. They emphasize that web security tricks can be used to reliably attack desktop applications, and that developers should be aware of design misconceptions and implementation mistakes that make their products vulnerable.

People are always talking about binary vulnerabilities when attacking desktop applications. Memory corruptions are always costly to find. Meanwhile, mitigations introduced by operating systems make them harder to be exploited. More and more applications are using hybrid technologies, so we can try web security tricks to pwn them reliably with less effort. Our presentation will summarize attack surfaces and methods to find security issues in desktop applications. In particular, we will explicate some real-world cases, such as chaining multiple vulnerabilities (information leaking, CSP bypass, opened debugging port) to achieve RCE in a specialized IDE, sensitive file leaking in famous editors, privileged APIs abusing in many IM applications and so on. During our research, we find some issues actually reside in popular libraries. These flaws may affect more applications than we will demonstrate in this talk. Web security knowledge is usually unfamiliar to desktop application developers. Attacking desktop apps using web security tricks is a non-competitive "blue ocean". Our presentation will focus on many design misconceptions and implementation mistakes in desktop applications. By sharing these representative lessons, we hope to help desktop application developers improve the security of their products.