Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/msrkp/electron-research

Electron Research
https://github.com/msrkp/electron-research

Last synced: about 1 month ago
JSON representation

Electron Research

Host: GitHub
URL: https://github.com/msrkp/electron-research
Owner: msrkp
Created: 2022-01-13T14:06:34.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-02-09T14:44:11.000Z (over 2 years ago)
Last Synced: 2024-02-15T02:31:23.794Z (5 months ago)
Size: 4.88 KB
Stars: 69
Watchers: 13
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md

Lists

awesome-electronjs-hacking - "Prototype Pollution Vulnerabilities in Electron Apps", @s1r1u5

README

        # Electron Research

Title: TBA

# Intro

The following research will be published in an upcoming conference.

During the end of prototype pollution research, [BlackFan](https://twitter.com/black2fan) and I came across a Prototype Pollution XSS in a web application that has a Desktop Application using ~Electron. So, I tried to escalate it to Remote Code Execution in the Desktop App and eventually I was able to get Remote Code Execution. Eventually, Prototype Pollution research came to an end, and started working on Electron Application and I think the research turned out pretty well.

# Stats

The number of Applications Pwned: **18**

The number of times Applications Pwned: **23**

# Applications Pwned

Application | Description | Link to Blog/Advisory | CVE 

--- | --- | --- | ---

Discord |  -  | - | -

VSCode  |  -  | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43908 | CVE-2021-43908

Rocket.chat | - | https://ssd-disclosure.com/ssd-advisory-rocket-chat-client-side-remote-code-execution/ | -

Element | - | https://github.com/vector-im/element-desktop/security/advisories/GHSA-mjrg-9f8r-h3m7 | CVE-2022-23597

Microsoft Teams | File Read  | - | - 

More Apps and Description, will be updated after the presenting at a conference

### Research Publishing Team

Mohan Sri Rama Krishna P [(s1r1us)](https://twitter.com/s1r1u5_)

William Bowling [(vakzz)](https://twitter.com/wcbowling)

Max Garrett [(TheGrandPew)](https://twitter.com/pewgrand)

Aaditya Purani [(knapstack)](https://twitter.com/aaditya_purani)

### Collabarators

Yudaii [(ptr-yudai)](https://twitter.com/ptrYudai)

Sergey Bobrov [(Black2Fan)](https://twitter.com/Black2Fan)

Masato Kinugawa [(kinugawamasato)](https://twitter.com/kinugawamasato)

Harsh Jaiswal [(rootxharsh)](https://twitter.com/rootxharsh)

Terjanq [(terjanq)](https://twitter.com/terjanq)