diff --git a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md index 13a9aec21..69c967da5 100644 --- a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md +++ b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md @@ -467,14 +467,6 @@ Related reading on postMessage trust issues: ../../../pentesting-web/postmessage-vulnerabilities/README.md {{#endref}} -Hardening guidance -- Default to `contextIsolation: true` and `nodeIntegration: false` in all windows/webviews. -- Expose only minimal, audited APIs via `contextBridge.exposeInMainWorld()` in a preload; never expose raw Node to untrusted content. -- Webview CSP: remove `'unsafe-inline'`; prefer nonces/hashes; restrict `allowScripts`; avoid loading extension-controlled HTML in untrusted frames. -- Message validation: enforce strict origin allowlists and message schema; never toggle script execution from untrusted messages. -- Scheme/resource guards: canonicalize and strictly constrain custom scheme mappings (e.g., `vscode-file://`), enforce allowlists, and prevent traversal/LFI into app resources. -- IPC: audit all endpoints and sanitize renderer-controlled inputs. - ## **Tools** - [**Electronegativity**](https://github.com/doyensec/electronegativity) is a tool to identify misconfigurations and security anti-patterns in Electron-based applications. @@ -623,7 +615,6 @@ Detection and mitigations - [VS Code RCE PoC (CVE-2021-43908) – electrovolt](https://github.com/Sudistark/vscode-rce-electrovolt) - [GitHub Advisory GHSA-2q4g-w47c-4674 (CVE-2020-15174)](https://github.com/advisories/GHSA-2q4g-w47c-4674) - [MSRC: CVE-2021-43908](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43908) - - [Trail of Bits: Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more](https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/) - [Electron fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) - [Electron ASAR integrity](https://www.electronjs.org/docs/latest/tutorial/asar-integrity) @@ -633,7 +624,6 @@ Detection and mitigations - [Loki C2](https://github.com/boku7/Loki/) - [Chromium: Disable loading of unsigned code (CIG)](https://chromium.googlesource.com/chromium/src/+/refs/heads/lkgr/docs/design/sandbox.md#disable-loading-of-unsigned-code-cig) - [Chrome security FAQ: physically local attacks out of scope](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model) - - [https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028](https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028) - [https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d) - [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8)