by Carleton Stuberg
2 min read

What’s the future of Browser Backdoor?

Browser Backdoor is my only project that garnered some attention and created encouraging feedback from readers. It had over 400 clones after posting the link to Reddit. Github only shows traffic over the past month so I have no idea how many total downloads it has. I received an issue request on Github entirely in Spanish, which made me pretty proud (sorry for not responding).

Browser Backdoor was never meant for actual deployment to manage devices. It was far too bloated. Looking back, it is still missing a lot of features. That’s why last year I decided to work on rewriting it with my current knowledge to see how I can improve it.

The new version will have a completely new name, as the server is completely new and serves a new, different purpose. The new client is still built on Electron, but it’s optimized much better to the point I don’t think it’s worth writing a client in C for now (I’d need to end up rewriting a lot of Electron features that I need anyway). The new client is pretty similar, minus my embarassing programming mistakes from the first iteration such as wasting hundreds of megabytes of RAM loading a separate window for no reason.

// Create a hidden browser window which loads the backdoor.
mainWindow = new BrowserWindow({
    width: 1,
    height: 1,
    show: false,
    closable: false,
    transparent: true,
    resizable: false,
    skipTaskbar: true
});

mainWindow.loadURL(`file://${__dirname}/index.html`);
The WebSocket JS could have just gone in the main thread! From main.js.

The best part about the new server is that (you guessed it), it’s written in NodeJS (wait a second… what?) Why would I rewrite it in NodeJS when Ruby works fine? Well, the main reason I picked Ruby for the inital version was because that’s what Metasploit used, and Metasploit was my inspiration for the program. I intended to rewrite the server in Python because I’ve always known more Python than Ruby, but I picked NodeJS for (I think) a very good reason. It also makes things easier as the client and server both now only use JavaScript.

The biggest new feature of the server is that it can be deployed directly to Heroku. No server is required. The new server has a web admin interface so it can just be left running 24/7 on Heroku, and you can login and manage your clients whenever necessary. The clients connect to the server via WebSockets, and administrators connect to the same server using HTTP to manage the clients. The server still has access to the raw Electron framework with JavaScript, so direct system commands are avaliable.

I haven’t had the time to finish the server yet, but when it’s finished I’ll edit this post.

Open Comments (Disqus)