maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
SirBroccoli 2025-09-29 23:19:13 +02:00 committed by GitHub
parent 33ac8ac742
commit e94fb5c22d
1 changed files with 0 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md
View File

@ -136,21 +136,6 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
<figure><img src="../../../images/image (1110).png" alt=""><figcaption></figcaption></figure>
### Real-world case: Notable (CVE-2020-15174)
- Root cause: Renderer ran with `webPreferences.nodeIntegration = true`, so any renderer XSS had direct access to Node APIs.
- Exploit: From the XSS primitive, spawn an OS process via child_process.
```js
// renderer (XSS) with nodeIntegration: true
require('child_process').exec('calc.exe'); // Windows
require('child_process').exec('/System/Applications/Calculator.app'); // macOS
```
- Observed behavior: The app spawned a shell (e.g., `cmd.exe`) and launched Calculator, confirming renderer-to-OS code execution.
- Mitigations: Set `nodeIntegration: false`, enable `contextIsolation: true`, and expose only audited capabilities via `contextBridge` in a preload.
- References: GHSA-2q4g-w47c-4674 / CVE-2020-15174.
## RCE: preload
The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**: