{"id":13728836,"url":"https://github.com/doyensec/awesome-electronjs-hacking","last_synced_at":"2025-02-27T07:19:43.512Z","repository":{"id":37376387,"uuid":"268486207","full_name":"doyensec/awesome-electronjs-hacking","owner":"doyensec","description":"A curated list of awesome resources about Electron.js (in)security","archived":false,"fork":false,"pushed_at":"2022-11-09T13:53:27.000Z","size":92,"stargazers_count":543,"open_issues_count":0,"forks_count":61,"subscribers_count":17,"default_branch":"master","last_synced_at":"2024-05-19T19:59:12.284Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/doyensec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-06-01T10:02:15.000Z","updated_at":"2024-05-17T06:33:47.000Z","dependencies_parsed_at":"2023-01-21T05:16:41.885Z","dependency_job_id":null,"html_url":"https://github.com/doyensec/awesome-electronjs-hacking","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/doyensec%2Fawesome-electronjs-hacking","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/doyensec%2Fawesome-electronjs-hacking/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/doyensec%2Fawesome-electronjs-hacking/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/doyensec%2Fawesome-electronjs-hacking/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/doyensec","download_url":"https://codeload.github.com/doyensec/awesome-electronjs-hacking/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240993350,"owners_count":19890416,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T02:00:51.123Z","updated_at":"2025-02-27T07:19:43.491Z","avatar_url":"https://github.com/doyensec.png","language":null,"funding_links":[],"categories":["Other Awesome Lists","📖 Related work","Others (1002)","Online Resources","Other Lists","Awesome","Useful Resources","Others","Pentesting","Related"],"sub_categories":["Other Security Awesome Lists","Visual programming","Other Lists Online","TeX Lists","Vite","Security Awesome Lists","Payloads","Using Electron"],"readme":"# Awesome Electron.js hacking \u0026 pentesting resources\n\nThis list aims to cover Electron.js security related topics.\n\n\u003cp align=\"center\"\u003e\n    \u003cimg src=\"https://github.com/doyensec/electronegativity/raw/master/docs/resources/img/electron-logo.png\"\u003e\n\u003c/p\u003e\n\n**Feel free to contribute** by opening a PR if you think something is missing to this list!\n\n## Presentations\n\n- [\"Electronegativity - A Study of Electron Security\", Luca Carettoni, BlackHat USA 2017](https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf) \u0026 [video](https://www.youtube.com/watch?v=oJWsBHlt0ZM)\n- [\"MarkDoom: How I Hacked Every Major IDE in 2 Weeks\", Matt Austin, APPSEC Cali 2018](https://docs.google.com/presentation/d/1wQM4fhjCJ9r3DQ-c98XJFkrd83odM94FaJPqstTR68c) \u0026 [video](https://www.youtube.com/watch?v=a-YnG3Mx-Tg)\n- [\"Building a secure web browser in Electron\", Yan @bcrypt, Electron Meetup 2/2018](https://www.youtube.com/watch?v=Qirdy1TP1Rw)\n- [\"Electron: Abusing the lack of context isolation\", Masato Kinugawa, CureCon 2018](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en)\n- [\"Only An Electron Away From Code Execution\", Silvia Väli, Hack.lu 2018](https://www.youtube.com/watch?v=kvi6XX71VXM)\n- [\"Preloading Insecurity In Your Electron\", Luca Carettoni, BlackHat Asia 2019](https://doyensec.com/resources/Asia-19-Carettoni-Preloading-Insecurity-In-Your-Electron.pdf) \u0026 [video](https://www.youtube.com/watch?v=Hw6JShd8Jxw)\n- [\"app setAsDefaultRCE Client: Electron, scheme handlers and stealthy security patches\", Juho Nurminen, ZeroNights 2019](https://2019.zeronights.ru/wp-content/themes/zeronights-2019/public/materials/1_ZN2019_Juho_Nurminen.pdf) and [video](https://www.youtube.com/watch?v=A9qJHqWYl_4)\n- [\"Full Steam Ahead: Remotely Executing Code in Modern Desktop Application Architectures\", Thomas Shadwell, INFILTRATE 2019](https://vimeo.com/335206831)\n- [\"Democratizing Electron.js Security\", Luca Carettoni, Covalence 2020 SF](https://doyensec.com/resources/Covalence-2020-Carettoni-DemocratizingElectronSecurity.pdf) \u0026 [video](https://www.youtube.com/watch?v=N2GGWz-Pkeg)\n- [\"Remote Code Execution on Electron Applications\", PwnFunction](https://www.youtube.com/watch?v=jkJWA_CWrQs)\n- [\"Shifting left for Electron.js security\", Ksenia Peguero, Midwinter Night's Con 2020](https://www.youtube.com/watch?v=Fiqj37HiyAY)\n- [\"How to harden your Electron app\", Mitchell Cohen, NorthSec 2021](https://youtu.be/_P6qI4ahBVk?t=5111)\n- [\"Hacking ELECTRON: JavaScript Desktop Applications w/ 7aSecurity\", John Hammond](https://www.youtube.com/watch?v=P8QvSjL8F9w)\n- [\"ElectroVolt - Pwning Popular Desktop apps while uncovering new attack surface on Electron\", Mohan Sri Rama Krishna Max Garrett Aaditya Purani William Bowling, BlackHat USA 2022 and Nullcon Goa 2022](https://i.blackhat.com/USA-22/Thursday/US-22-Purani-ElectroVolt-Pwning-Popular-Desktop-Apps.pdf) \u0026 [video](https://www.youtube.com/watch?v=J0bZGugLoYk)\n\n## Open-Source \u0026 Commercial Tools\n\n- Electronegativity, a static code analysis tool to find vulnerabilities in Electron-based applications [code](https://github.com/doyensec/electronegativity) \u0026 [slides](https://doyensec.com/resources/Electronegativity_ArsenalBHUS2019.pdf)\n- [Devtron](https://www.electronjs.org/blog/electron-1-0#devtron), an Electron DevTools extension\n- [Fiddle](https://github.com/electron/fiddle), to quickly create and play with small Electron experiments across different Electron versions \n- [ElectroNG](https://get-electrong.com/) Premium SAST tool built after Electronegativity to help  automate  security reviews\n\n[![electrong-banner-small](https://user-images.githubusercontent.com/6027823/195326803-56a1181c-2ae4-4ba5-81ea-cd8148c81bea.png)](https://get-electrong.com/)\n\n## Papers\n\n- [\"Electron Security Checklist\", Luca Carettoni, 2017](https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf)\n- [\"Analysis of Electron-based Applications to Identify Xss Flaws Escalating to Code Execution in Open-source Applications\", Silvia Väli, 2017](https://digikogu.taltech.ee/en/Download/01ec8ff7-fff8-4a83-86a4-4048178a3ed5)\n- [\"Pentest-Report Ethereum Mist\", Cure53, 2017](https://cure53.de/pentest-report_mist.pdf)\n- [\"Pentest-Report Frame Electron App\", Cure53, 2018](https://cure53.de/pentest-report_frame.pdf)\n- [\"An Analysis of the State of Electron Security in the Wild\", Benjamin Altpeter, 2020](https://benjamin-altpeter.de/doc/thesis-electron.pdf)\n- [\"Electrolint and Security of Electron Applications\", Ksenia Peguero, 2021](https://www.sciencedirect.com/science/article/pii/S2667295221000040)\n\n## Vulnerabilities Write-Ups and Exploits\n\n- [\"Hacking Mattermost #2: Year of Node.js on the Desktop\", Andreas Lindh](http://haxx.ml/post/145508617751/hacking-mattermost-2-year-of-nodejs-on-the?is_related_post=1)\n- [\"Modern Alchemy: Turning XSS into RCE\", Doyensec Blog](https://blog.doyensec.com/2017/08/03/electron-framework-security.html)\n- [\"Subverting Electron Apps via Insecure Preload\", Doyensec Blog](https://blog.doyensec.com/2019/04/03/subverting-electron-apps-via-insecure-preload.html)\n- [\"CVE-2018-15685 - Electron WebPreferences Remote Code Execution Finding\", Matt Austin](https://www.contrastsecurity.com/security-influencers/cve-2018-15685), [PoC](https://github.com/matt-/CVE-2018-15685)\n- [\"Remote Code Execution in Rocket.Chat Desktop\", Matt Austin](https://hackerone.com/reports/276031)\n- [\"Rocket.Chat Cross-Site Scripting leading to Remote Code Execution CVE-2020-15926\", Pawel Wylecial](https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html)\n- [\"Rocket.Chat Client-side Remote Code Execution\", SSD Advisory](https://ssd-disclosure.com/ssd-advisory-rocket-chat-client-side-remote-code-execution/)\n- [\"Remote Code Execution in Wordpress Desktop\", Matt Austin](https://hackerone.com/reports/301458)\n- [\"URL Spoof / Brave Shield Bypass\", Matt Austin](https://hackerone.com/reports/255991)\n- [\"\\[Simplenote for Windows\\] Client RCE via External JavaScript Inclusion leveraging Electron\", @ysx](https://hackerone.com/reports/291539)\n- [\"XSS in Steam react chat client\", @zemnmez](https://hackerone.com/reports/409850)\n- [\"Security bug in Google Hangouts Chat desktop application – how to make Open Redirect great again\", Michał Bentkowski](https://research.securitum.com/security-bug-in-google-hangouts-chat-desktop-application-how-to-make-open-redirect-great-again/)\n- [\"Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access\", Gal Weizman](https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/)\n- [\"signal-desktop HTML tag injection\"](https://web.archive.org/web/20200427095259/https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/) and [\"signal-desktop HTML tag injection variant 2, Ivan A. Barrera Oro\"](https://web.archive.org/web/20190517134857/https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection-variant-2/)\n- [\"Signature Validation Bypass Leading to RCE In Electron-Updater\", Doyensec Blog](https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html)\n- [\"Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)\", Doyensec Blog](https://blog.doyensec.com/2018/05/24/electron-win-protocol-handler-bug-bypass.html)\n- [\"Top 5 Day Two: Electron Boogaloo - A case for technodiversity\",  Vincent Lee](https://www.thezdi.com/blog/2018/12/18/top-5-day-two-electron-boogaloo-a-case-for-technodiversity)\n- [\"Exploiting Electron RCE in Exodus wallet\", Tomas Lažauninkas](https://hackernoon.com/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374)\n- [\"Chaining Three Bugs to Get RCE in Microsoft AttackSurfaceAnalyzer\", Parsia Hakimian](https://parsiya.net/blog/2019-06-18-chaining-three-bugs-to-get-rce-in-microsoft-attacksurfaceanalyzer/)\n- [\"Open Sesame: Escalating Open Redirect to RCE with Electron Code Review\", Eugene Lim](https://spaceraccoon.dev/open-sesame-escalating-open-redirect-to-rce-with-electron-code-review)\n- [\"From Markdown to RCE in Atom\", Lukas Reschke](https://statuscode.ch/2017/11/from-markdown-to-rce-in-atom)\n- [\"Visual Studio Code silently fixed a remote code execution vulnerability\", CodeColorist](https://blog.chichou.me/2018/03/16/visual-studio-code-silently-fixed-a-remote-code-execution-vulnerability/)\n- [\"OVE-20210809-0001 Visual Studio Code .ipynb Jupyter Notebook XSS (Arbitrary File Read)\", Justin Steven](https://github.com/justinsteven/advisories/blob/master/2021_vscode_ipynb_xss_arbitrary_file_read.md)\n- [\"Visual Studio Code Jupyter Notebook RCE ( CVE-2021-26437)\", Doyensec Blog](https://blog.doyensec.com/2022/10/27/jupytervscode.html)\n- [\"Visual Studio Code - Remote Code Execution in Restricted Mode (CVE-2021-43908)\", TheGrandPew and s1r1us](https://blog.electrovolt.io/posts/vscode-rce/)\n- [\"Remote Code Execution in Slack desktop apps + bonus\", Oskars Vegeris](https://hackerone.com/reports/783877)\n- [\"Important, Spoofing - zero-click, wormable, cross-platform remote code execution in Microsoft Teams\", Oskars Vegeris](https://github.com/oskarsve/ms-teams-rce)\n- [\"Cross-site scripting (XSS) in Microsoft Teams\", Evan Grant](https://www.tenable.com/security/research/tra-2019-54)\n- [\"Dependency Confusion Vulnerability in Microsoft Teams\", Matt Austin](https://www.contrastsecurity.com/security-influencers/contrast-labs-reveals-dependency-confusion-vulnerability-in-microsoft-teams)\n- [\"RCE in Jitsi Meet Electron prior to 2.3.0 due to insecure use of shell.openExternal() (CVE-2020-25019)\", Benjamin Altpeter](https://benjamin-altpeter.de/jitsi-meet-electron-rce-shell-openexternal/)\n- [\"Insecure use of shell.openExternal() in Wire Desktop\", Benjamin Altpeter](https://github.com/wireapp/wire-desktop/security/advisories/GHSA-5gpx-9976-ggpm)\n- [\"Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)\", Robert Wessen](https://research.nccgroup.com/2020/10/23/technical-advisory-jitsi-meet-electron-arbitrary-client-remote-code-execution-cve-2020-27162/) and [\"Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)\", Robert Wessen](https://research.nccgroup.com/2020/10/23/technical-advisory-jitsi-meet-electron-limited-certificate-validation-bypass-cve-2020-27161/)\n- [\"Brave Arbitrary IPC Messages via Prototype Pollution in Function.prototype.call\",  Masato Kinugawa](https://hackerone.com/reports/187542), [\"via Prototype Pollution in Function.prototype.apply\",  Masato Kinugawa](https://hackerone.com/reports/188086) and [\"via Prototype Pollution in Array.prototype.push\",  Masato Kinugawa](https://hackerone.com/reports/188561)\n- [\"Prototype Pollution Vulnerabilities in Electron Apps\", @s1r1u5](https://github.com/msrkp/electron-research)\n- [\"Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application\", Parsia Hakimian](https://hackerone.com/reports/873614)\n- [\"Discord Desktop App RCE\", Masato Kinugawa](https://mksben.l0.cm/2020/10/discord-desktop-rce.html)\n- [\"Discord Desktop - Remote Code Execution\", s1r1us](https://blog.electrovolt.io/posts/discord-rce/)\n- [\"Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run\", CertiK](https://certik.io/blog/technology/vulnerability-electron-based-application-malicious-code-execution)\n- [\"Joplin ElectronJS based Client: from XSS to RCE\", Jaroslav Lobacevski](https://blog.devsecurity.eu/en/blog/joplin-electron-rce)\n- [\"Facebook Messenger Desktop App Arbitrary File Read\", Renwa](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)\n- [\"RCE in Mattermost Desktop earlier than 4.2.0\", Nathan Lowe](https://dev.to/nlowe/rce-in-mattermost-desktop-earlier-than-420-5aef)\n- [\"GitHub Desktop RCE (OSX)\", André Baptista](https://pwning.re/2018/12/04/github-desktop-rce/)\n- [\"RCE in GitHub Desktop \u003c 2.9.4\", Vladimir Metnew](https://github.com/Metnew/write-ups/tree/main/rce-github-desktop-2.9.3)\n- [\"CVE-2020–16608\", Sourov Ghosh](https://sghosh2402.medium.com/cve-2020-16608-8cdad9f4d9b4)\n- [\"HEY Desktop RCE Chain\", Doyensec Team](https://doyensec.com/resources/Doyensec_Basecamp_HEY_PlatformTesting_Q32020_SAS.pdf)\n- [\"CVE-2018-1000136 - Electron nodeIntegration Bypass\", Brendan Scarvell](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2018-1000136-electron-nodeintegration-bypass)\n- [\"Remote Code Execution on Element Desktop Application using Node Integration in Sub Frames Bypass\", s1r1us and TheGrandPew](https://blog.electrovolt.io/posts/element-rce/)\n- [\"CVE-2022-29247 - Disable Electron Context Isolation or enable Node Integration in SubFrames\", s1r1us](https://hackerone.com/reports/1647287)\n- [\"Weaponizing Chrome CVE-2023-2033 for RCE in Electron\", Turb0](https://www.turb0.one/pages/Weaponizing_Chrome_CVE-2023-2033_for_RCE_in_Electron:_Some_Assembly_Required.html)\n- [\"Evernote RCE: From PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge Remote-Code Execution\", Patrick Peng](https://0reg.dev/blog/evernote-rce)\n\n## Blog Posts and Articles\n\n- [\"Security, Native Capabilities, and Your Responsibility\", Electron's Documentation](https://www.electronjs.org/docs/tutorial/security)\n- [\"Instrumenting Electron Apps for Security Testing\", Doyensec Blog](https://blog.doyensec.com/2018/07/19/instrumenting-electron-app.html)\n- [\"Reasonably Secure Electron\", Joe DeMesy](https://know.bishopfox.com/research/reasonably-secure-electron) \u0026 [code](https://github.com/moloch--/reasonably-secure-electron)\n- [\"As It Stands - Electron Security\"](http://blog.scottlogic.com/2016/03/09/As-It-Stands-Electron-Security.html) and [\"An update on Electron Security\", Dean Kerr](http://blog.scottlogic.com/2016/06/01/An-update-on-Electron-Security.html)\n- [\"Exploiting Electron Applications using Debug Feature\", Esecurity Lab](https://evren.ninja/blog/en/post/exploiting-electron-applications-/)\n- [\"Why Electron apps can’t store your secrets confidentially: \\` — inspect\\`option\", Vladimir Metnew](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f)\n- [\"The App Sandbox\", Charlie Hess](https://slack.engineering/the-app-sandbox/)\n- [\"Abusing Electron apps to bypass macOS' security controls\", Wojciech Reguła](https://wojciechregula.blog/post/abusing-electron-apps-to-bypass-macos-security-controls/)\n- [\"The dangers of Electron's shell.openExternal() — many paths to remote code execution\", Benjamin Altpeter](https://benjamin-altpeter.de/shell-openexternal-dangers/)\n- [\"1-click RCE in Electron Applications\", Pavel Shabarkin](https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8)\n- [\"How to patch apps with ElectronAsarIntegrity on macOS\", Karol Mazurek](https://karol-mazurek.medium.com/cracking-electron-integrity-0a10e0d5f239) \u0026 [electron_patcher.py](https://github.com/Karmaz95/Snake_Apple/blob/main/App%20Bundle%20Extension/custom/electron_patcher.py)\n- [\"Using Discord Desktop for Backdoor Persistence\", Turb0](https://www.turb0.one/pages/Using_Discord_Desktop_for_Backdoor_Persistence.html)\n  \n## Books\n\n- [\"Cross-Platform Desktop Applications Using Node, Electron, and NW.js\", Paul B. Jensen](https://www.manning.com/books/cross-platform-desktop-applications)\n- [\"Electron in Action\", Steve Kinney](https://www.manning.com/books/electron-in-action)\n\n\n## Related lists\n\n- [Awesome Node.js Security](https://github.com/lirantal/awesome-nodejs-security)\n- [Awesome Electron](https://github.com/sindresorhus/awesome-electron)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoyensec%2Fawesome-electronjs-hacking","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdoyensec%2Fawesome-electronjs-hacking","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoyensec%2Fawesome-electronjs-hacking/lists"}