Electron Security Threat Modeling, Vulnerability Research and Exploitation

2 DAY U_SHORT 16 CPE HOUR TRAINING: AUGUST 2021 * WEEK 2: AUG 9-13

Luca Carettoni

Overview

With the increasing popularity of the ElectronJs Framework, Doyensec has developed a unique workshop to teach students how to perform hands-on threat modeling and vulnerability research against modern desktop applications.

Doyensec was the first security company to publish a comprehensive security overview of the Electron framework during BlackHat USA 2017. Since then, we have reported dozens of vulnerabilities in the framework itself and popular Electron-based applications. This training is the result of several years of applied security research and will provide a condensed lesson in Electron security to all attendees.

The class is hands-on with many live examples and labs, enabling participants to not only understand how Electron applications work, but also how to find and exploit vulnerabilities in a matter of hours. Attendees will get a clear picture of Electron’s security model and risk exposure. We will review the ecosystem, attack surface, unexpected navigation attacks, isolation, sandboxing, and many other interesting topics. Doyensec tutors will also demonstrate real-life vulnerabilities which have affected popular software. The class will be highly interactive to answer all questions attendees might have and potentially review attendees’ code.

Key Learning Objectives

  • Understand the anatomy and lifecycle of Electron-based applications
  • Examine the attack surface and standard threat model of Electron-based applications
  • Identify the most common design flaws which lead to vulnerabilities
  • Explore implementation misconfigurations and security anti-patterns
  • Hands-on exploitation of bugs in the framework and custom code
  • Learn Electron security best practices and hardening

Agenda

Session 1: Electron Overview, Internals and Security Model

  • Electron Overview
  • Electron Internals
    • Codebase, building Electron
    • Anatomy of Electron-based Desktop applications
    • Security settings (nodeIntegration, sandbox, contextIsolation)
    • InternalIPC (IpcMain, ipcRenderer)
    • Packaging (executables, asar file format)
    • Testing tools
    • Governance and versioning
  • Security Model
    • Browser vs Electron
    • Full chain exploit steps
    • Attack surface

Session 2: Attacking the Application Iceberg

  • Vulnerable foundation
    • Subverting the framework (Part I)
      • Taking control of the DOM
        • External navigation
          • Loading remote resources
          • MITM and certificate pinning
        • Protocol handlers
        • Cross-Site Scripting (XSS)
        • Drag&Drop attacks
        • Middle-click attacks
      • Bypassing isolation
        • History of nodeIntegration bypasses
        • Framework “Glorified” APIs
        • Deviations from browser standards
          • SameOriginPolicy enforcement
          • Security and privacynotifications
          • Local handlers (e.g. file://)

Session 3: Attacking the Application Iceberg

  • Subverting the Framework (Part II)
    • Prototype pollution against ElectronJS
    • Exploits for contextIsolation
    • Software updates
  • Vulnerable dependencies

Session 4: Attacking Custom Code

  • Insecure webPreferences settings
    • nodeIntegration, nodeIntegrationInWorker and nodeIntegrationInSubFrames
    • Missing sandbox or nativeWindowOpen
    • Missing contextIsolation
    • Disabling webSecurity
    • Allowing webViewTag
  • Insecure preload scripts
    • Functionalities that can be abused
      • Native APIs (e.g. openPath)
      • Custom functions
    • Sandbox bypass
    • Prototype pollution attacks against preload
  • Dangerous custom protocol handlers
    • Exposed functionalities

Session 5: Electronegativity and Security Automation

  • Electronegativity
    • Origins, Design and Internals
    • Installation and usage
    • Developing a new atomic check
    • Developing a new global check
  • Electronegativity on CI
    • Programmatically
    • Github Action
  • Simulation of a real-world AppSec review using Electronegativity
    • Automated vulnerability discovery
    • Findings review and code annotations
  • Q&A
  • Conclusion

Who should take this course?

  • Security engineers, auditors, researchers, pentesters, and those in similar roles
  • JavaScript and Node.js developers

We will provide details on how to both find and fix security vulnerabilities, which makes this class suitable for both blue and red teams.

If you enjoy the write-ups in https://github.com/doyensec/awesome-electronjs-hacking, you’re likely going to love our class!

We expect all students to have:

  • Basic JavaScript development experience
  • Basic understanding of web application security (e.g. XSS, ClickJacking, ...)

Requirements

  • A laptop and the possibility to install software. We will provide all necessary tools
  • A decent Internet connection is also required in order to access exercises and material

What attendees will be provided with

Attendees will receive all necessary material, including:

  • Workshop slides (over 250 pages)
  • Code and artifacts of all exercises
  • Our custom DamnVulnerableElectronApp
  • Most recent release of Electronegativity (Private Beta)