Objective: Compromise reveal.js Presentation (Access, Manipulate, or Hijack)
Goal: Compromise reveal.js Presentation (Access, Manipulate, or Hijack) ├── 1. Unauthorized Access to Sensitive Information │ ├── 1.1. Exploit Speaker Notes Vulnerability │ │ └── 1.1.3. Access Speaker Notes via Browser Developer Tools (if improperly secured) [CRITICAL] │ ├── 1.3. Exploit External Content Loading (if used) [HIGH RISK] │ │ ├── 1.3.1. Load Malicious External Markdown (if improperly sanitized) [CRITICAL] │ │ ├── 1.3.2. Load Malicious External HTML (if improperly sanitized) [CRITICAL] │ │ └── 1.3.3. Load Malicious External JavaScript (if improperly sanitized) [CRITICAL] │ └── 1.4. Exploit Plugin Vulnerabilities (if used) [HIGH RISK] │ ├── 1.4.1. Vulnerable Third-Party Plugin (known CVE or 0-day) [CRITICAL] ├── 2. Manipulate Presentation Content or Behavior [HIGH RISK] │ ├── 2.1. Inject Malicious JavaScript (XSS) [HIGH RISK] │ │ ├── 2.1.1. Via Unsanitized Markdown Input (if enabled) [CRITICAL] │ │ ├── 2.1.2. Via Unsanitized HTML Fragments (if enabled) [CRITICAL] │ │ ├── 2.1.3. Via URL Parameters (if improperly handled) [CRITICAL] │ │ └── 2.1.5. Via Plugin Vulnerability (if plugin allows arbitrary JS execution) [CRITICAL] ├── 3. Hijack Presenter's or Viewer's Session [HIGH RISK] ├── 3.2. XSS Leading to Session Hijacking (see 2.1 for XSS vectors) [HIGH RISK] │ └── 3.2.1. Steal Cookies or Tokens via Injected JavaScript [CRITICAL]
Attack Tree Path: 1. Unauthorized Access to Sensitive Information
-
1.1.3. Access Speaker Notes via Browser Developer Tools (if improperly secured) [CRITICAL]
- Description: If speaker notes are rendered in the DOM or accessible through JavaScript variables without proper protection, an attacker can simply open the browser's developer tools (e.g., Inspect Element) and view the notes directly.
- Likelihood: High
- Impact: Medium (depends on the sensitivity of the information in the notes)
- Effort: Low
- Skill Level: Low
- Detection Difficulty: High (requires user behavior monitoring, which is often impractical)
- Mitigation:
- Server-side rendering of speaker notes, ensuring they are never included in the client-side HTML.
- If client-side storage is absolutely necessary, use a secure storage mechanism (e.g., a well-protected JavaScript object that is not directly exposed in the DOM or global scope) and encrypt the data.
- Strong authentication for accessing the speaker view.
-
1.3. Exploit External Content Loading (if used) [HIGH RISK]
-
Description: reveal.js allows loading content from external files (Markdown, HTML, JavaScript). If the application doesn't properly sanitize this content, an attacker can provide malicious files that inject harmful code.
-
Mitigation (Applies to 1.3.1, 1.3.2, and 1.3.3):
- Strict Input Sanitization: Use a robust, well-maintained HTML sanitizer library (like DOMPurify) to remove any potentially dangerous tags, attributes, or JavaScript code from the loaded content. Never rely on simple string replacements or regular expressions for sanitization.
- Content Security Policy (CSP): Implement a strict CSP to control which sources the browser is allowed to load content from. This prevents loading malicious scripts from untrusted domains. Specifically, use directives like
script-src,style-src,img-src, andconnect-srcto restrict resource loading. - Content Type Validation: Verify that the loaded content matches the expected content type (e.g., ensure a file loaded as Markdown is actually Markdown and not HTML or JavaScript).
- Avoid External JavaScript: Minimize the use of external JavaScript files. If they are necessary, ensure they are loaded from trusted sources and their integrity is verified (e.g., using Subresource Integrity (SRI) attributes).
-
1.3.1. Load Malicious External Markdown (if improperly sanitized) [CRITICAL]
- Likelihood: Medium
- Impact: High (potential for XSS)
- Effort: Medium
- Skill Level: Medium
- Detection Difficulty: Medium
-
1.3.2. Load Malicious External HTML (if improperly sanitized) [CRITICAL]
- Likelihood: Medium
- Impact: High (potential for XSS)
- Effort: Medium
- Skill Level: Medium
- Detection Difficulty: Medium
-
1.3.3. Load Malicious External JavaScript (if improperly sanitized) [CRITICAL]
- Likelihood: Medium
- Impact: High (potential for XSS and complete control)
- Effort: Medium
- Skill Level: Medium
- Detection Difficulty: Medium
-
-
1.4. Exploit Plugin Vulnerabilities (if used) [HIGH RISK]
-
Description: reveal.js plugins can extend functionality but also introduce security risks if they are vulnerable or misconfigured.
-
Mitigation (Applies to 1.4.1):
- Plugin Vetting: Thoroughly research any third-party plugins before using them. Check for known vulnerabilities (CVEs), review the plugin's source code (if available), and assess the reputation of the plugin developer.
- Keep Plugins Updated: Regularly check for updates to all plugins and apply them promptly. Vulnerabilities are often discovered and patched in newer versions.
- Minimal Plugin Usage: Only use plugins that are absolutely necessary. The fewer plugins you use, the smaller the attack surface.
- Secure Configuration: Follow the plugin's documentation carefully and configure it securely. Avoid using default settings if they are known to be insecure.
- Sandboxing (if possible): If the plugin architecture allows it, consider sandboxing the plugin's execution environment to limit its access to the rest of the application.
-
1.4.1. Vulnerable Third-Party Plugin (known CVE or 0-day) [CRITICAL]
- Likelihood: Medium (depends on the specific plugin and whether vulnerabilities exist)
- Impact: High (depends on the plugin's capabilities; could range from XSS to complete system compromise)
- Effort: Low (if a known CVE exists and an exploit is publicly available) / High (if it's a 0-day vulnerability)
- Skill Level: Low (if a known CVE exists) / High (if it's a 0-day)
- Detection Difficulty: Medium (requires vulnerability scanning and monitoring for known CVEs)
-
Attack Tree Path: 2. Manipulate Presentation Content or Behavior [HIGH RISK]
- 2.1. Inject Malicious JavaScript (XSS) [HIGH RISK]
-
Description: Cross-Site Scripting (XSS) is a vulnerability that allows an attacker to inject malicious JavaScript code into the presentation. This code can then be executed in the context of other users' browsers, allowing the attacker to steal data, modify the presentation, or hijack sessions.
-
Mitigation (Applies to 2.1.1, 2.1.2, 2.1.3, and 2.1.5):
- Input Sanitization: This is the primary defense against XSS. Use a robust HTML sanitizer (like DOMPurify) to remove any potentially dangerous tags, attributes, or JavaScript code from all user-provided input, including Markdown, HTML fragments, URL parameters, and data received via the postMessage API.
- Output Encoding: When displaying user-provided data, ensure it is properly encoded for the context in which it is being used. For example, use HTML entity encoding to prevent
<and>characters from being interpreted as HTML tags. - Content Security Policy (CSP): A strong CSP can significantly mitigate the impact of XSS vulnerabilities by preventing the execution of inline scripts and restricting the sources from which scripts can be loaded. Use the
script-srcdirective to control script execution. - X-XSS-Protection Header: While not a primary defense, the
X-XSS-Protectionheader can provide some additional protection against reflected XSS attacks in older browsers.
-
2.1.1. Via Unsanitized Markdown Input (if enabled) [CRITICAL]
- Likelihood: Medium
- Impact: High
- Effort: Medium
- Skill Level: Medium
- Detection Difficulty: Medium
-
2.1.2. Via Unsanitized HTML Fragments (if enabled) [CRITICAL]
- Likelihood: Medium
- Impact: High
- Effort: Medium
- Skill Level: Medium
- Detection Difficulty: Medium
-
2.1.3. Via URL Parameters (if improperly handled) [CRITICAL]
- Likelihood: Medium
- Impact: High
- Effort: Low
- Skill Level: Medium
- Detection Difficulty: Medium
-
2.1.5. Via Plugin Vulnerability (if plugin allows arbitrary JS execution) [CRITICAL]
- Likelihood: Medium (depends on the plugin)
- Impact: High
- Effort: Low to High (depends on the plugin vulnerability)
- Skill Level: Low to High (depends on the plugin vulnerability)
- Detection Difficulty: Medium
-
Attack Tree Path: 3. Hijack Presenter's or Viewer's Session [HIGH RISK]
- 3.2. XSS Leading to Session Hijacking (see 2.1 for XSS vectors) [HIGH RISK]
-
Description: If an attacker can successfully inject JavaScript (XSS), they can use that access to steal session cookies or tokens, allowing them to impersonate the user.
-
Mitigation:
- All XSS mitigations (see 2.1). Preventing XSS is the primary way to prevent session hijacking via this method.
- HttpOnly Cookies: Set the
HttpOnlyflag on session cookies. This prevents JavaScript from accessing the cookie value, making it much harder for an attacker to steal the session cookie even if they achieve XSS. - Secure Cookies: Set the
Secureflag on session cookies. This ensures that the cookie is only transmitted over HTTPS, preventing it from being intercepted in transit. - Short Session Lifetimes: Use short session lifetimes and implement session expiration mechanisms. This limits the window of opportunity for an attacker to use a stolen session.
- Session Regeneration: Regenerate the session ID after a successful login. This prevents session fixation attacks.
- Two-Factor Authentication (2FA): If possible, implement 2FA to make it much harder for an attacker to gain access to an account even if they have stolen the session cookie.
-
3.2.1. Steal Cookies or Tokens via Injected JavaScript [CRITICAL]
- Likelihood: High (if XSS is possible)
- Impact: High (complete session takeover)
- Effort: Low (once XSS is achieved)
- Skill Level: Medium
- Detection Difficulty: Medium (requires monitoring for suspicious JavaScript activity and network traffic)
-