maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Electron Research in Desktop apps [Part 1]

Browse Source 
- Remove searchindex.js (auto-generated file)
This commit is contained in:
HackTricks News Bot 2025-09-22 18:34:55 +00:00
parent 0bd7ff12b2
commit 33ac8ac742
1 changed files with 52 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md
View File

@ -136,6 +136,21 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
<figure><img src="../../../images/image (1110).png" alt=""><figcaption></figcaption></figure>
### Real-world case: Notable (CVE-2020-15174)
- Root cause: Renderer ran with `webPreferences.nodeIntegration = true`, so any renderer XSS had direct access to Node APIs.
- Exploit: From the XSS primitive, spawn an OS process via child_process.
```js
// renderer (XSS) with nodeIntegration: true
require('child_process').exec('calc.exe'); // Windows
require('child_process').exec('/System/Applications/Calculator.app'); // macOS
```
- Observed behavior: The app spawned a shell (e.g., `cmd.exe`) and launched Calculator, confirming renderer-to-OS code execution.
- Mitigations: Set `nodeIntegration: false`, enable `contextIsolation: true`, and expose only audited capabilities via `contextBridge` in a preload.
- References: GHSA-2q4g-w47c-4674 / CVE-2020-15174.
## RCE: preload
The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**:
@ -443,6 +458,38 @@ pentesting-web/content-security-policy-csp-bypass/
{{#endref}}
## RCE: Webview CSP + postMessage trust + local file loading (VS Code 1.63)
This real-world chain affected Visual Studio Code 1.63 (CVE-2021-43908) and demonstrates how a single markdown-driven XSS in a webview can be escalated to full RCE when CSP, postMessage, and scheme handlers are misconfigured. Public PoC: https://github.com/Sudistark/vscode-rce-electrovolt
Attack chain overview
- First XSS via webview CSP: The generated CSP included `style-src 'self' 'unsafe-inline'`, allowing inline/style-based injection in a `vscode-webview://` context. The payload beaconed to `/stealID` to exfiltrate the target webviews extensionId.
- Constructing target webview URL: Using the leaked ID to build `vscode-webview://<extensionId>/.../<publicUrl>`.
- Second XSS via postMessage trust: The outer webview trusted `window.postMessage` without strict origin/type checks and loaded attacker HTML with `allowScripts: true`.
- Local file loading via scheme/path rewriting: The payload rewrote `file:///...` to `vscode-file://vscode-app/...` and swapped `exploit.md` for `RCE.html`, abusing weak path validation to load a privileged local resource.
- RCE in Node-enabled context: The loaded HTML executed with Node APIs available, yielding OS command execution.
Example RCE primitive in the final context
```js
// RCE.html (executed in a Node-enabled webview context)
require('child_process').exec('calc.exe'); // Windows
require('child_process').exec('/System/Applications/Calculator.app'); // macOS
```
Related reading on postMessage trust issues:
{{#ref}}
../../../pentesting-web/postmessage-vulnerabilities/README.md
{{#endref}}
Hardening guidance
- Default to `contextIsolation: true` and `nodeIntegration: false` in all windows/webviews.
- Expose only minimal, audited APIs via `contextBridge.exposeInMainWorld()` in a preload; never expose raw Node to untrusted content.
- Webview CSP: remove `'unsafe-inline'`; prefer nonces/hashes; restrict `allowScripts`; avoid loading extension-controlled HTML in untrusted frames.
- Message validation: enforce strict origin allowlists and message schema; never toggle script execution from untrusted messages.
- Scheme/resource guards: canonicalize and strictly constrain custom scheme mappings (e.g., `vscode-file://`), enforce allowlists, and prevent traversal/LFI into app resources.
- IPC: audit all endpoints and sanitize renderer-controlled inputs.
## **Tools**
- [**Electronegativity**](https://github.com/doyensec/electronegativity) is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
@ -587,6 +634,11 @@ Detection and mitigations
## **References**
- [SecureLayer7: Electron Research in Desktop apps (Part 1)](https://blog.securelayer7.net/electron-app-security-risks/)
- [VS Code RCE PoC (CVE-2021-43908) electrovolt](https://github.com/Sudistark/vscode-rce-electrovolt)
- [GitHub Advisory GHSA-2q4g-w47c-4674 (CVE-2020-15174)](https://github.com/advisories/GHSA-2q4g-w47c-4674)
- [MSRC: CVE-2021-43908](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43908)
- [Trail of Bits: Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more](https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/)
- [Electron fuses](https://www.electronjs.org/docs/latest/tutorial/fuses)
- [Electron ASAR integrity](https://www.electronjs.org/docs/latest/tutorial/asar-integrity)
@ -607,5 +659,3 @@ Detection and mitigations
- [https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html](https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html)
{{#include ../../../banners/hacktricks-training.md}}