Awesome Electron.js hacking & pentesting resources / Presentations |
| "Electronegativity - A Study of Electron Security", Luca Carettoni, BlackHat USA 2017 | | | & |
| "MarkDoom: How I Hacked Every Major IDE in 2 Weeks", Matt Austin, APPSEC Cali 2018 | | | & |
| "Building a secure web browser in Electron", Yan @bcrypt, Electron Meetup 2/2018 | | | |
| "Electron: Abusing the lack of context isolation", Masato Kinugawa, CureCon 2018 | | | |
| "Only An Electron Away From Code Execution", Silvia Väli, Hack.lu 2018 | | | |
| "Preloading Insecurity In Your Electron", Luca Carettoni, BlackHat Asia 2019 | | | & |
| "app setAsDefaultRCE Client: Electron, scheme handlers and stealthy security patches", Juho Nurminen, ZeroNights 2019 | | | and |
| "Full Steam Ahead: Remotely Executing Code in Modern Desktop Application Architectures", Thomas Shadwell, INFILTRATE 2019 | | | |
| "Democratizing Electron.js Security", Luca Carettoni, Covalence 2020 SF | | | & |
| "Remote Code Execution on Electron Applications", PwnFunction | | | |
| "Shifting left for Electron.js security", Ksenia Peguero, Midwinter Night's Con 2020 | | | |
| "How to harden your Electron app", Mitchell Cohen, NorthSec 2021 | | | |
| "Hacking ELECTRON: JavaScript Desktop Applications w/ 7aSecurity", John Hammond | | | |
| "ElectroVolt - Pwning Popular Desktop apps while uncovering new attack surface on Electron", Mohan Sri Rama Krishna Max Garrett Aaditya Purani William Bowling, BlackHat USA 2022 and Nullcon Goa 2022 | | | & |
| |
| code | 971 | 2 months ago | Electronegativity, a static code analysis tool to find vulnerabilities in Electron-based applications & |
| Devtron | | | , an Electron DevTools extension |
| Fiddle | 7,445 | 12 days ago | , to quickly create and play with small Electron experiments across different Electron versions |
| ElectroNG | | | Premium SAST tool built after Electronegativity to help automate security reviews |
Awesome Electron.js hacking & pentesting resources / Papers |
| "Electron Security Checklist", Luca Carettoni, 2017 | | | |
| "Analysis of Electron-based Applications to Identify Xss Flaws Escalating to Code Execution in Open-source Applications", Silvia Väli, 2017 | | | |
| "Pentest-Report Ethereum Mist", Cure53, 2017 | | | |
| "Pentest-Report Frame Electron App", Cure53, 2018 | | | |
| "An Analysis of the State of Electron Security in the Wild", Benjamin Altpeter, 2020 | | | |
| "Electrolint and Security of Electron Applications", Ksenia Peguero, 2021 | | | |
Awesome Electron.js hacking & pentesting resources / Vulnerabilities Write-Ups and Exploits |
| "Hacking Mattermost #2: Year of Node.js on the Desktop", Andreas Lindh | | | |
| "Modern Alchemy: Turning XSS into RCE", Doyensec Blog | | | |
| "Subverting Electron Apps via Insecure Preload", Doyensec Blog | | | |
| "CVE-2018-15685 - Electron WebPreferences Remote Code Execution Finding", Matt Austin | | | , |
| "Remote Code Execution in Rocket.Chat Desktop", Matt Austin | | | |
| "Rocket.Chat Cross-Site Scripting leading to Remote Code Execution CVE-2020-15926", Pawel Wylecial | | | |
| "Rocket.Chat Client-side Remote Code Execution", SSD Advisory | | | |
| "Remote Code Execution in Wordpress Desktop", Matt Austin | | | |
| "URL Spoof / Brave Shield Bypass", Matt Austin | | | |
| "[Simplenote for Windows] Client RCE via External JavaScript Inclusion leveraging Electron", @ysx | | | |
| "XSS in Steam react chat client", @zemnmez | | | |
| "Security bug in Google Hangouts Chat desktop application – how to make Open Redirect great again", Michał Bentkowski | | | |
| "Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access", Gal Weizman | | | |
| "signal-desktop HTML tag injection" | | | and |
| "Signature Validation Bypass Leading to RCE In Electron-Updater", Doyensec Blog | | | |
| "Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)", Doyensec Blog | | | |
| "Top 5 Day Two: Electron Boogaloo - A case for technodiversity", Vincent Lee | | | |
| "Exploiting Electron RCE in Exodus wallet", Tomas Lažauninkas | | | |
| "Chaining Three Bugs to Get RCE in Microsoft AttackSurfaceAnalyzer", Parsia Hakimian | | | |
| "Open Sesame: Escalating Open Redirect to RCE with Electron Code Review", Eugene Lim | | | |
| "From Markdown to RCE in Atom", Lukas Reschke | | | |
| "Visual Studio Code silently fixed a remote code execution vulnerability", CodeColorist | | | |
| "OVE-20210809-0001 Visual Studio Code .ipynb Jupyter Notebook XSS (Arbitrary File Read)", Justin Steven | 266 | over 1 year ago | |
| "Visual Studio Code Jupyter Notebook RCE ( CVE-2021-26437)", Doyensec Blog | | | |
| "Visual Studio Code - Remote Code Execution in Restricted Mode (CVE-2021-43908)", TheGrandPew and s1r1us | | | |
| "Remote Code Execution in Slack desktop apps + bonus", Oskars Vegeris | | | |
| "Important, Spoofing - zero-click, wormable, cross-platform remote code execution in Microsoft Teams", Oskars Vegeris | 1,115 | almost 4 years ago | |
| "Cross-site scripting (XSS) in Microsoft Teams", Evan Grant | | | |
| "Dependency Confusion Vulnerability in Microsoft Teams", Matt Austin | | | |
| "RCE in Jitsi Meet Electron prior to 2.3.0 due to insecure use of shell.openExternal() (CVE-2020-25019)", Benjamin Altpeter | | | |
| "Insecure use of shell.openExternal() in Wire Desktop", Benjamin Altpeter | 1,079 | 4 days ago | |
| "Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)", Robert Wessen | | | and |
| "Brave Arbitrary IPC Messages via Prototype Pollution in Function.prototype.call", Masato Kinugawa | | | , and |
| "Prototype Pollution Vulnerabilities in Electron Apps", @s1r1u5 | 70 | almost 3 years ago | |
| "Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application", Parsia Hakimian | | | |
| "Discord Desktop App RCE", Masato Kinugawa | | | |
| "Discord Desktop - Remote Code Execution", s1r1us | | | |
| "Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run", CertiK | | | |
| "Joplin ElectronJS based Client: from XSS to RCE", Jaroslav Lobacevski | | | |
| "Facebook Messenger Desktop App Arbitrary File Read", Renwa | | | |
| "RCE in Mattermost Desktop earlier than 4.2.0", Nathan Lowe | | | |
| "GitHub Desktop RCE (OSX)", André Baptista | | | |
| "RCE in GitHub Desktop < 2.9.4", Vladimir Metnew | 33 | over 2 years ago | |
| "CVE-2020–16608", Sourov Ghosh | | | |
| "HEY Desktop RCE Chain", Doyensec Team | | | |
| "CVE-2018-1000136 - Electron nodeIntegration Bypass", Brendan Scarvell | | | |
| "Remote Code Execution on Element Desktop Application using Node Integration in Sub Frames Bypass", s1r1us and TheGrandPew | | | |
| "CVE-2022-29247 - Disable Electron Context Isolation or enable Node Integration in SubFrames", s1r1us | | | |
| "Weaponizing Chrome CVE-2023-2033 for RCE in Electron", Turb0 | | | |
| "Evernote RCE: From PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge Remote-Code Execution", Patrick Peng | | | |
Awesome Electron.js hacking & pentesting resources / Blog Posts and Articles |
| "Security, Native Capabilities, and Your Responsibility", Electron's Documentation | | | |
| "Instrumenting Electron Apps for Security Testing", Doyensec Blog | | | |
| "Reasonably Secure Electron", Joe DeMesy | | | & |
| "As It Stands - Electron Security" | | | and |
| "Exploiting Electron Applications using Debug Feature", Esecurity Lab | | | |
| "Why Electron apps can’t store your secrets confidentially: ` — inspect`option", Vladimir Metnew | | | |
| "The App Sandbox", Charlie Hess | | | |
| "Abusing Electron apps to bypass macOS' security controls", Wojciech Reguła | | | |
| "The dangers of Electron's shell.openExternal() — many paths to remote code execution", Benjamin Altpeter | | | |
| "1-click RCE in Electron Applications", Pavel Shabarkin | | | |
| "How to patch apps with ElectronAsarIntegrity on macOS", Karol Mazurek | | | & |
| "Using Discord Desktop for Backdoor Persistence", Turb0 | | | |
Awesome Electron.js hacking & pentesting resources / Books |
| "Cross-Platform Desktop Applications Using Node, Electron, and NW.js", Paul B. Jensen | | | |
| "Electron in Action", Steve Kinney | | | |
| |
| Awesome Node.js Security | 2,736 | 8 days ago | |
| Awesome Electron | 25,876 | 4 months ago | |
awesome-electronjs-hacking 
sbilly/awesome-security
sudhakar3697/awesome-electron-alternativessindresorhus/electron-timber
electron-userland/electron-builder
electron/packager