Skip to content

danieloz147/Browser-Based-Ransomware

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CloudGuard Security

  ██████╗██╗      ██████╗ ██╗   ██╗██████╗  ██████╗ ██╗   ██╗ █████╗ ██████╗ ██████╗
 ██╔════╝██║     ██╔═══██╗██║   ██║██╔══██╗██╔════╝ ██║   ██║██╔══██╗██╔══██╗██╔══██╗
 ██║     ██║     ██║   ██║██║   ██║██║  ██║██║  ███╗██║   ██║███████║██████╔╝██║  ██║
 ██║     ██║     ██║   ██║██║   ██║██║  ██║██║   ██║██║   ██║██╔══██║██╔══██╗██║  ██║
 ╚██████╗███████╗╚██████╔╝╚██████╔╝██████╔╝╚██████╔╝╚██████╔╝██║  ██║██║  ██║██████╔╝
  ╚═════╝╚══════╝ ╚═════╝  ╚═════╝ ╚═════╝  ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝

Browser-based file system abuse via the File System Access API. Red-team demonstration. Chromium only. No software installation, no exploits, pure permission social engineering.


Screenshots

Landing page


Attack Flow

┌─────────────────────────────────────────────────────────────┐
│                         TARGET                              │
│                                                             │
│  visits lure page  ->  clicks "Start Deep Scan"             │
│       |                                                     │
│       v                                                     │
│  browser asks: "Allow access to Documents?"                 │
│       |                                                     │
│       v                                                     │
│  [ALLOW]  ->  scanner animation  ->  files processed        │
│                                       |                     │
│                                       v                     │
│                               alert screen shown            │
│                               72h countdown + Case ID       │
└─────────────────────────────────────────────────────────────┘
                                       |
                         POST /api/session (AES key)
                                       |
┌─────────────────────────────────────────────────────────────┐
│                        OPERATOR                             │
│                                                             │
│  GET /api/admin  ->  session log + master key               │
│  opens /decrypt  ->  enters token  ->  selects folder       │
│                                        |                    │
│                                        v                    │
│                               files restored                │
└─────────────────────────────────────────────────────────────┘

Key design: AES-256 key lives server-side only. Target cannot self-recover.


Modes

Mode Behavior Use Case
lock (default) AES-256-GCM encrypt files in place, show alert screen File encryption demo
drop Fake scan (always clean), silently write file to folder Payload delivery demo

Quick Start

npm install

# Lock mode
PORT=7654 ADMIN_TOKEN=StrongSecret node server.js

# Drop mode
PORT=7654 MODE=drop \
  PAYLOAD_FILE=/path/to/update.exe \
  PAYLOAD_FILENAME=WindowsUpdate.exe \
  ADMIN_TOKEN=StrongSecret \
  node server.js

Expose via Cloudflare Tunnel (required for HTTPS on remote targets):

cloudflared tunnel --url http://localhost:7654 --no-autoupdate

Configuration

Variable Default Description
PORT 3000 HTTP port
ADMIN_TOKEN 123123 Recovery console password
MODE lock lock or drop
PAYLOAD_FILE - Binary to drop (EXE, DLL...)
PAYLOAD_FILENAME WindowsUpdate.bat Filename written to disk
PAYLOAD_CONTENT BAT stub Inline text fallback

API

Method Path Auth Description
GET / - Lure page
GET /decrypt - Recovery console
GET /api/config - Active mode + payload config
POST /api/session - Register session, return AES key
GET /api/admin X-Admin-Token header Master key + session log

File Structure

browser-ransomware-poc/
|-- server.js          Express server (key mgmt, session registry)
|-- public/
|   |-- index.html     Lure page (target-facing)
|   `-- decrypt.html   Recovery console (operator-facing)
|-- master.key         AES-256 master key (auto-generated, gitignored)
|-- sessions.json      Session log (gitignored)
`-- package.json

Requirements

  • Node.js 18+
  • Chrome / Edge / Opera (Firefox and Safari block showDirectoryPicker)
  • cloudflared for HTTPS tunnel (optional but recommended)

Security Notes

Finding Severity Status
Admin token exposed in URL High Fixed: header-only (X-Admin-Token)
No input validation on /api/session Medium Fixed: bounds + sanitize
Missing security headers Medium Fixed
Timing-unsafe token comparison Low Fixed: timingSafeEqual
Weak default token Low Warned at startup
Key file permissions Low Fixed: chmod 600

Limitations

  • Chromium only (showDirectoryPicker not in Firefox / Safari)
  • Single master key per deployment
  • HTTPS required for showDirectoryPicker on non-localhost origins
  • No rate limiting or DoS protection

Credits

  • Check Point Research (2026) - Original research on browser-based file system abuse via the File System Access API
  • Web Crypto API / File System Access API - W3C / WHATWG specifications
  • GSAP - GreenSock Animation Platform
  • Plus Jakarta Sans / IBM Plex Mono - Google Fonts

Disclaimer

Authorized red-team and educational use only.

About

Proof-of-concept demonstrating browser-native file encryption via the File System Access API. No software installation required - runs entirely within the browser sandbox. Built for authorized red-team assessments.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors