Update README.md

This commit is contained in:
SirBroccoli 2025-09-29 23:21:15 +02:00 committed by GitHub
parent e94fb5c22d
commit 284211ccdd

View File

@ -467,14 +467,6 @@ Related reading on postMessage trust issues:
../../../pentesting-web/postmessage-vulnerabilities/README.md
{{#endref}}
Hardening guidance
- Default to `contextIsolation: true` and `nodeIntegration: false` in all windows/webviews.
- Expose only minimal, audited APIs via `contextBridge.exposeInMainWorld()` in a preload; never expose raw Node to untrusted content.
- Webview CSP: remove `'unsafe-inline'`; prefer nonces/hashes; restrict `allowScripts`; avoid loading extension-controlled HTML in untrusted frames.
- Message validation: enforce strict origin allowlists and message schema; never toggle script execution from untrusted messages.
- Scheme/resource guards: canonicalize and strictly constrain custom scheme mappings (e.g., `vscode-file://`), enforce allowlists, and prevent traversal/LFI into app resources.
- IPC: audit all endpoints and sanitize renderer-controlled inputs.
## **Tools**
- [**Electronegativity**](https://github.com/doyensec/electronegativity) is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
@ -623,7 +615,6 @@ Detection and mitigations
- [VS Code RCE PoC (CVE-2021-43908) electrovolt](https://github.com/Sudistark/vscode-rce-electrovolt)
- [GitHub Advisory GHSA-2q4g-w47c-4674 (CVE-2020-15174)](https://github.com/advisories/GHSA-2q4g-w47c-4674)
- [MSRC: CVE-2021-43908](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43908)
- [Trail of Bits: Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more](https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/)
- [Electron fuses](https://www.electronjs.org/docs/latest/tutorial/fuses)
- [Electron ASAR integrity](https://www.electronjs.org/docs/latest/tutorial/asar-integrity)
@ -633,7 +624,6 @@ Detection and mitigations
- [Loki C2](https://github.com/boku7/Loki/)
- [Chromium: Disable loading of unsigned code (CIG)](https://chromium.googlesource.com/chromium/src/+/refs/heads/lkgr/docs/design/sandbox.md#disable-loading-of-unsigned-code-cig)
- [Chrome security FAQ: physically local attacks out of scope](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model)
- [https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028](https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028)
- [https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)
- [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8)