Overview
With the increasing popularity of the ElectronJs Framework, Doyensec has developed a unique workshop to teach students how to perform hands-on threat modeling and vulnerability research against modern desktop applications.
Doyensec was the first security company to publish a comprehensive security overview of the Electron framework during BlackHat USA 2017. Since then, we have reported dozens of vulnerabilities in the framework itself and popular Electron-based applications. This training is the result of several years of applied security research and will provide a condensed lesson in Electron security to all attendees.
The class is hands-on with many live examples and labs, enabling participants to not only understand how Electron applications work, but also how to find and exploit vulnerabilities in a matter of hours. Attendees will get a clear picture of Electron’s security model and risk exposure. We will review the ecosystem, attack surface, unexpected navigation attacks, isolation, sandboxing, and many other interesting topics. Doyensec tutors will also demonstrate real-life vulnerabilities which have affected popular software. The class will be highly interactive to answer all questions attendees might have and potentially review attendees’ code.
Key Learning Objectives
- Understand the anatomy and lifecycle of Electron-based applications
- Examine the attack surface and standard threat model of Electron-based applications
- Identify the most common design flaws which lead to vulnerabilities
- Explore implementation misconfigurations and security anti-patterns
- Hands-on exploitation of bugs in the framework and custom code
- Learn Electron security best practices and hardening
Agenda
Session 1: Electron Overview, Internals and Security Model
- Electron Overview
- Electron Internals
- Codebase, building Electron
- Anatomy of Electron-based Desktop applications
- Security settings (
nodeIntegration
,sandbox
,contextIsolation
) - InternalIPC (
IpcMain
,ipcRenderer
) - Packaging (executables,
asar
file format) - Testing tools
- Governance and versioning
- Security Model
- Browser vs Electron
- Full chain exploit steps
- Attack surface
Session 2: Attacking the Application Iceberg
- Vulnerable foundation
- Subverting the framework (Part I)
- Taking control of the DOM
- External navigation
- Loading remote resources
- MITM and certificate pinning
- Protocol handlers
- Cross-Site Scripting (XSS)
- Drag&Drop attacks
- Middle-click attacks
- External navigation
- Bypassing isolation
- History of
nodeIntegration
bypasses - Framework “Glorified” APIs
- Deviations from browser standards
- SameOriginPolicy enforcement
- Security and privacynotifications
- Local handlers (e.g. file://)
- History of
- Taking control of the DOM
- Subverting the framework (Part I)
Session 3: Attacking the Application Iceberg
- Subverting the Framework (Part II)
- Prototype pollution against ElectronJS
- Exploits for
contextIsolation
- Software updates
- Vulnerable dependencies
Session 4: Attacking Custom Code
- Insecure webPreferences settings
nodeIntegration
,nodeIntegrationInWorker
andnodeIntegrationInSubFrames
- Missing
sandbox
ornativeWindowOpen
- Missing
contextIsolation
- Disabling
webSecurity
- Allowing
webViewTag
- Insecure
preload
scripts- Functionalities that can be abused
- Native APIs (e.g.
openPath
) - Custom functions
- Native APIs (e.g.
- Sandbox bypass
- Prototype pollution attacks against preload
- Functionalities that can be abused
- Dangerous custom protocol handlers
- Exposed functionalities
Session 5: Electronegativity and Security Automation
- Electronegativity
- Origins, Design and Internals
- Installation and usage
- Developing a new
atomic
check - Developing a new
global
check
- Electronegativity on CI
- Programmatically
- Github Action
- Simulation of a real-world AppSec review using Electronegativity
- Automated vulnerability discovery
- Findings review and code annotations
- Q&A
- Conclusion
Who should take this course?
- Security engineers, auditors, researchers, pentesters, and those in similar roles
- JavaScript and Node.js developers
We will provide details on how to both find and fix security vulnerabilities, which makes this class suitable for both blue and red teams.
If you enjoy the write-ups in https://github.com/doyensec/awesome-electronjs-hacking, you’re likely going to love our class!
We expect all students to have:
- Basic JavaScript development experience
- Basic understanding of web application security (e.g. XSS, ClickJacking, ...)
Requirements
- A laptop and the possibility to install software. We will provide all necessary tools
- A decent Internet connection is also required in order to access exercises and material
What attendees will be provided with
Attendees will receive all necessary material, including:
- Workshop slides (over 250 pages)
- Code and artifacts of all exercises
- Our custom DamnVulnerableElectronApp
- Most recent release of Electronegativity (Private Beta)