Desktop App Testing (/test-desktop)¶
Test Windows, macOS, and Electron desktop applications for security vulnerabilities — static analysis, security mitigations, DLL/dylib hijacking, .NET deserialization, code signing, and update mechanism attacks.
Overview¶
| Property | Value |
|---|---|
| Skill | /test-desktop |
| Flag | --desktop <path> |
| Scope | Windows EXE/DLL/MSI, macOS APP/DMG/PKG, Electron ASAR, Linux ELF/DEB/AppImage |
| Standard | OWASP DASVS v1 (Desktop App Security Verification Standard) |
| Requires | --desktop <path> flag on /pentest |
| Roles | admin, pentester |
Supported File Formats¶
| Extension | Platform | Notes |
|---|---|---|
.exe |
Windows | PE32/PE32+ executables |
.dll |
Windows | Dynamic link libraries |
.msi |
Windows | Installer packages |
.sys |
Windows | Kernel drivers |
.app |
macOS | Application bundles (upload as .zip) |
.dmg |
macOS | Disk images |
.pkg |
macOS | Installer packages |
.dylib |
macOS | Dynamic libraries |
.asar |
Electron | Application archive |
.deb |
Linux | Debian packages |
.rpm |
Linux | Red Hat packages |
.AppImage |
Linux | Portable Linux applications |
.zip |
Any | Archives (e.g., zipped .app bundles) |
How to Upload Executables¶
Via Dashboard UI¶
- Open dashboard → Engagements → select engagement
- Go to Desktop Apps tab
- Click Upload Binary → choose your file
- Dashboard returns server path (e.g.,
/uploads/desktop/myapp.exe) - Run:
/test-desktop /uploads/desktop/myapp.exe https://api.target.com
Via CLI¶
# Upload file
curl -X POST http://localhost:8880/api/v1/desktop/upload \
-H "Authorization: Bearer $TOKEN" \
-F "file=@/path/to/myapp.exe"
# Returns: {"path": "...", "sha256": "...", "platform": "windows", "status": "uploaded"}
# Run skill with returned path
/test-desktop /uploads/desktop/myapp.exe https://api.target.com
macOS .app Bundles¶
.app is a directory, not a single file — zip it first:
zip -r myapp.app.zip MyApp.app/
curl -X POST http://localhost:8880/api/v1/desktop/upload \
-H "Authorization: Bearer $TOKEN" \
-F "file=@myapp.app.zip"
The skill auto-unzips and analyzes the bundle.
Invocation¶
# Full invocation
/test-desktop /path/to/app.exe https://api.target.com ./engagement --platform auto
# Platform auto-detection (from magic bytes)
/test-desktop app.exe
# Force platform
/test-desktop MyApp.app --platform macos
/test-desktop app.asar --platform electron
Testing Sections¶
A. Binary Identification¶
filecommand + magic bytes- ExifTool metadata (version, build date, developer info)
- Platform auto-detection (PE/Mach-O/ELF/ASAR)
B. Static Analysis¶
- Windows PE: header parsing, import/export table, section entropy (packer detection)
- macOS Mach-O: architecture slices (
lipo), linked libraries (otool -L), symbols (nm) - Electron ASAR: extraction, JavaScript source inspection, dangerous configuration grep
C. Security Mitigations¶
Windows:
| Mitigation | Detection | Impact if Missing |
|---|---|---|
| ASLR | DllCharacteristics & 0x0040 |
Deterministic addresses → ROP chains |
| DEP/NX | DllCharacteristics & 0x0100 |
Stack/heap code execution |
| CFG | DllCharacteristics & 0x4000 |
Indirect call hijacking |
| High-Entropy ASLR | DllCharacteristics & 0x0020 |
8-bit vs 16-bit entropy |
| SafeSEH | PE32 flag | SEH overwrite exploits |
macOS:
| Mitigation | Detection | Impact if Missing |
|---|---|---|
| PIE | MH_PIE flag in Mach-O header |
No ASLR protection |
| Stack canary | ___stack_chk_fail symbol |
Stack overflow exploits |
| Hardened runtime | codesign --entitlements |
DYLD injection, debugging |
D. Sensitive Data Extraction¶
- FLOSS-style string analysis: credentials, API keys, JWT secrets
- URL extraction: update servers, internal APIs, staging endpoints
- Internal IP ranges: 10.x, 172.16.x, 192.168.x
E. Dependency Analysis¶
- DLL/dylib dependency mapping
@rpath,@loader_path,@executable_pathinspection (macOS)- Update URL detection for MITM testing
F. Windows-Specific¶
DLL Hijacking - Imports loaded from non-System32 locations - PATH-earlier directory planting - DLL proxying technique
Unquoted Service Paths
- wmic service get name,pathname → spaces without quotes
- Binary planting for SYSTEM-level execution
.NET Analysis
- CLR header detection (pefile DATA_DIRECTORY[14])
- Decompilation recommendation (ILSpy/dnSpy/ilspycmd)
- Deserialization formatter detection
MSI Installer - 7-zip extraction - CustomAction DLL inspection - Pre/post-install script analysis
COM Object Hijacking - CLSID extraction from binary - HKCU vs HKLM registration check
G. macOS-Specific¶
Code Signing & Entitlements Dangerous entitlements detected automatically:
| Entitlement | Risk |
|---|---|
com.apple.security.get-task-allow |
Allows debugging by any process |
com.apple.private.tcc.allow |
Bypasses TCC privacy checks |
com.apple.security.cs.disable-library-validation |
Allows unsigned dylib injection |
com.apple.security.automation.apple-events |
AppleScript automation without prompt |
com.apple.security.cs.allow-jit |
JIT compilation (weakens ASLR) |
dylib Hijacking
- @rpath writable directory check
- Weak-linked library planting
- DYLD_INSERT_LIBRARIES injection test
Info.plist
- URL scheme extraction (CFBundleURLSchemes)
- NSAppleEventsUsageDescription / NSAppleScriptEnabled
- Privacy permission keys
Keychain
- kSecAttrAccessibleAlways misuse detection
- SecItemCopyMatching call inspection
- Keychain sharing group abuse
H. Electron-Specific¶
ASAR Extraction
Security Configuration Checks
// Dangerous patterns detected automatically:
nodeIntegration: true // XSS → full Node.js RCE
contextIsolation: false // Renderer accesses Node APIs
webSecurity: false // Cross-origin + file:// reads
enableRemoteModule: true // Deprecated, enables privilege escalation
allowRunningInsecureContent: true // HTTP in HTTPS app
IPC Security
- ipcMain.on handlers without origin validation
- contextBridge.exposeInMainWorld exposure surface
- ipcRenderer.send to privileged channels
Auto-Updater
- electron-updater HTTPS enforcement
- Feed URL extraction
- Signature validation check
I. Dynamic Analysis (Frida)¶
- Frida hook template generated per binary
- Windows:
CryptUnprotectData,RegOpenKeyExW,CreateFileW - macOS:
SecItemCopyMatching,SecTrustEvaluate(cert pinning bypass) - Launch:
frida -l frida-hook.js --no-pause -f app.exe
J. Privilege Escalation (Windows)¶
AlwaysInstallElevatedregistry check- Service binary weak permissions (
icacls) - Token API usage:
ImpersonateNamedPipeClient,DuplicateTokenEx
K. Update Mechanism¶
- HTTP vs HTTPS enforcement on update URLs
- Redirect status check (301/302)
- Code signing of update payload
- MITM test via system proxy
OWASP DASVS v1 Mapping¶
| DASVS ID | Category | Test Sections |
|---|---|---|
| DASVS-01 | Architecture | A (identification) |
| DASVS-02 | Storage | D (sensitive data) |
| DASVS-03 | Cryptography | D (keys), I (Frida crypto hooks) |
| DASVS-04 | Authentication | D (hardcoded creds), G (Keychain) |
| DASVS-05 | Network | K (update mechanism) |
| DASVS-06 | Updates | K (MITM, signing) |
| DASVS-07 | Dependency | E (DLL/dylib deps), F1 (DLL hijack), G2 (dylib hijack) |
| DASVS-08 | Code Protection | B (entropy), C (mitigations) |
| DASVS-09 | Privileges | J (privesc), F2 (unquoted paths) |
| DASVS-10 | IPC | H2 (Electron IPC), F5 (COM) |
Common Findings with CVSS 4.0¶
| Finding | Score | Severity |
|---|---|---|
| Electron nodeIntegration RCE | 9.3 | CRITICAL |
| .NET Deserialization | 9.3 | CRITICAL |
| DLL Hijacking | 8.5 | HIGH |
| dylib Hijacking | 8.5 | HIGH |
| Hardcoded Credentials | 8.7 | HIGH |
| AlwaysInstallElevated | 7.8 | HIGH |
| COM Object Hijacking | 7.8 | HIGH |
| Missing ASLR | 7.1 | HIGH |
| Missing DEP/NX | 7.1 | HIGH |
| Update MITM (no HTTPS) | 8.1 | HIGH |
| Dangerous Entitlement | 7.5 | HIGH |
| Unquoted Service Path | 6.8 | MEDIUM |
| Insecure Keychain Storage | 6.2 | MEDIUM |
| Missing CFG | 4.0 | MEDIUM |
| Missing Code Signing | 5.3 | MEDIUM |
| kSecAttrAccessibleAlways | 4.6 | MEDIUM |
API Reference¶
Upload Binary¶
POST /api/v1/desktop/upload
Authorization: Bearer <token>
Content-Type: multipart/form-data
Body: file=@/path/to/binary
Response:
{
"filename": "myapp.exe",
"path": "/uploads/desktop/myapp.exe",
"size": 10485760,
"sha256": "abc123...",
"platform": "windows",
"status": "uploaded"
}
Platform values: windows | macos | linux | electron | unknown
List Uploads¶
Delete Upload¶
Tools Used¶
| Tool | Purpose |
|---|---|
pefile |
Windows PE header parsing, import table, mitigations |
lief |
Cross-format: PE, ELF, Mach-O |
frida |
Dynamic instrumentation, API hooking |
radare2 |
Disassembly and binary analysis |
binwalk |
Embedded file/firmware extraction |
7-zip |
MSI and archive extraction |
exiftool |
File metadata |
strings |
String extraction |
otool |
macOS library/header inspection |
codesign |
macOS entitlement and signing check |
lipo |
macOS fat binary inspection |
nm |
Symbol table inspection |
asar |
Electron ASAR extraction/repacking |
objdump |
Cross-platform disassembly |
Safety Rules¶
- Non-destructive only — read file contents, never patch/modify production binaries
- No privilege escalation attempts on live production systems — document findings only
- Never execute suspicious binaries — static analysis and controlled Frida sessions only
- Frida sessions: attach to test environment only, never production
- Clean up any planted test DLLs/dylibs immediately after evidence collection