coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#3270] No subject

Browse Source
This commit is contained in:
CPol 2022-06-21 15:35:40 +00:00 committed by gitbook-bot
parent 056cca6ddf
commit d9291c43c6
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
View File

@ -16,6 +16,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
### Introduction
Electron is **based on Chromium**, but it is not a browser. Certain principles and security mechanisms implemented by modern browsers are not in place.\
You could see Electron like a local backend+frontend app where **NodeJS** is the **backend** and **chromium** is the **frontend**.
@ -51,7 +53,7 @@ The desktop application might have access to the users device through Node AP
* **`nodeIntegration`** - is `off` by default. If on, allows to access node features from the renderer process.
* **`contextIsolation`** - is `on` by default. If on, main and renderer processes aren't isolated.
* **`preload`** - empty by default.
* **\`\`**[**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform.
* [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform.
Example of configuration:
@ -93,6 +95,14 @@ Example Payloads (Linux & MacOS):
<img src=x onerror="alert(require('child_process').execSync('uname -a').toString());">
```
### Capture traffic
Modify the start-main configuration and add the use of a proxy such as:
```javascript
"start-main": "electron ./dist/main/main.js --proxy-server=127.0.0.1:8080 --ignore-certificateerrors",
```
## RCE: XSS + nodeIntegration
If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Node.js features easily just by calling the `require()`. For example, the way to execute the calc application on Windows is:
@ -245,7 +255,8 @@ window.open("<http://subdomainagoogleq.com/index.html>")
## **Tools**
* [**Electronegativity**](https://github.com/doyensec/electronegativity) is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
* [**Electrolint**](https://github.com/ksdmitrieva/electrolint) \*\*\*\* is an open source VS Code plugin for Electron applications that uses Electronegativity.
* [**Electrolint**](https://github.com/ksdmitrieva/electrolint) is an open source VS Code plugin for Electron applications that uses Electronegativity.
* ****[**nodejsscan**](https://github.com/ajinabraham/nodejsscan) to check for vulnerable third party libraries
## Labs