diff --git a/README.md b/README.md
index cb405b3..ab3c8bc 100644
--- a/README.md
+++ b/README.md
@@ -1,32 +1,29 @@
# DVEA
+
### NOTE: This App Is Vulnerable, DO NOT RUN IN PRODUCTION ENVIRONMENT
+
Damn Vulnerable ElectronJS App (DVEA) is a purposely built vulnerable ElectronJS app for developers and security engineer.
It contains major vulnerabilities that are specific to ElectronJS environment.
The app demonstrates a vulnerable to do list, following vulnerabilties are currently added to the app:
+
1. Cross Site Scripting
2. XSS to RCE
3. Deep Links to XSS
4. Deep Links to RCE
-- - -
-
-## WARNING!
-
-Damn Vulnerable Electron Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode.
-
-### Disclaimer
-
-I does not take responsibility for the way in which any one uses this application (DVEA). I have made the purposes of the application clear and it should not be used maliciously. I have given warnings and taken measures to prevent users from installing DVEA on to live servers. If your server is compromised via an installation of DVEA, it is not my responsibility, it is the responsibility of the person/s who uploaded and installed it.
+---
-- - -
### Download
+
Get your copy of DVEA from the github releases section here: https://github.com/njmulsqb/DVEA/releases/latest
The binaries are available for Linux, MacOS and Windows.
-- - -
+
+---
### Running from source
+
```
git clone https://github.com/njmulsqb/DVEA
cd DVEA
@@ -34,11 +31,29 @@ npm i
electron .
```
+
---
+
+### Walkthrough
+
+The walkthrough of this app can be seen at [walkthrough.md](./walkthrough.md)
+
+---
+
+## WARNING!
+
+Damn Vulnerable Electron Application is damn vulnerable! **Do not upload it to your hosting provider's public html folder or any Internet facing servers**, as they will be compromised. It is recommended using a virtual machine (such as [VirtualBox](https://www.virtualbox.org/) or [VMware](https://www.vmware.com/)), which is set to NAT networking mode.
+
+### Disclaimer
+
+I do not take responsibility for the way in which any one uses this application (DVEA). I have made the purposes of the application clear and it should not be used maliciously. I have given warnings and taken measures to prevent users from installing DVEA on to live servers. If your server is compromised via an installation of DVEA, it is not my responsibility, it is the responsibility of the person/s who uploaded and installed it.
+
### Contributing
+
DVEA is always open for PRs!
-
+
---
### Credits
+
The app is built on https://github.com/CodeDraken/electron-todo
diff --git a/walkthrough.md b/walkthrough.md
new file mode 100644
index 0000000..514d2a8
--- /dev/null
+++ b/walkthrough.md
@@ -0,0 +1,31 @@
+Here's the brief walkthrough of security vulnerabilities in DVEA:
+
+# Cross-site Scripting
+
+A simple XSS payload of `
` will do perform XSS on the application when put in the to-do item section
+
+# XSS to RCE
+
+To perform RCE via XSS, you need to import "shell" library and execute its `openPath` function using which you can execute commands on the system
+
+```
+Hover Me
+```
+
+# Deep-link to XSS
+
+The app is registered with a deep-link of `dvea://` which is used to add tasks to the app using deep link e.g. `dvea://task?add=Clean Your Room` which obviously can be fed with an XSS payload like `dvea://task?add=` when opened via browser.
+
+# Deep-link to RCE
+
+Now combining all the above attack vectors we can chain the deep link to achieve RCE using the same payload as in "XSS to RCE" when invoked via the deep link, the payload will look something like
+
+```
+dvea://task?add=Hover Me
+```