»Only an Electron Away from Code Execution«
2018-10-18, 13:30–14:15, Europe
This talk will discuss the Electron framework, question its quirks and DEMO you numerous vulnerable desktop applications with the easiest code execution you have ever seen. It will look into behind-the-scenes of how Electron apps are built and what are the mistakes which developers end up making when being too adventurous.
Over the decades, various security techniques to mitigate desktop specific vulnerabilities have been developed which makes it difficult to successfully exploit traditional desktop applications. With the rise of Electron framework, it became possible to develop multi-platform desktop applications by using commonly known web technologies. Developed by the Github team, Electron has already become amazingly popular (used by Skype, Slack, Wire, Wordpress and so many other big names), bringing adventurous web app developers to explore the desktop environment. These same developers who make the XSS to be the most common web vulnerability are now bringing the same mistakes to a whole new environment.
While XSS in the web applications is bounded by the browser, the same does not apply to Electron applications. Making the same kind of mistakes in an Electron application widens the attack surface of desktop applications, where XSS can end up being so much more dangerous.
So in this talk, I will discuss the Electron framework and the related security issues, its wonderful “features” getting me a bunch of CVE’s, possible attack vectors and the developers in the dark about these issues.
AND as Electron apps do not like to play in the sandbox, this talk will DEMO Electron applications found to be vulnerable, gaining code execution from XSS.
Rough presentation outline
- Introduction - (Overview of the Electron framework, Electron-specific APIs, created processes …)
- Dive into “features” - BrowserWindow object’s webPreference options
- Node integration in Electron applications Demo of XSS to code execution vulnerabilities in Electron applications