Tools

Electronegativity: An Open Source Electron Security Auditor

Electron is a pretty recent framework for building desktop applications and there are not many tools that deal with the security part either. There is a electronjs security checklist, providing guidelines for building secure applications, but there is no tool per-se – atleast none I know of! Electronegativity changes this. This post describes the open source tool that was disclosed at Black Hat 2017, but only recently released in January this year.


Electronegativity

Electronegativity is a tool to identify mis-configurations and security anti-patterns in Electron-based applications. This open source tool leverages AST  and DOM parsing to look for security relevant configuration. It supports the following “atomic” or “global” check types that work respectively on three types of application resources:

Every check has an importance and accuracy attribute which helps you in determining the importance of each finding. Electronegativity performs checks for the following properties and the reason why they are important:

  1. AFFINITY_GLOBAL_CHECK: Improper use of affinity property can cause the unwanted share of webPreferences options
  2. ALLOWPOPUPS_HTML_CHECK: Disabling popups reduces the risk of UI-redressing attacks and limits the exploitability of window abuses. Additionally, popups are often used for intrusive advertising and persistency in JavaScript-based attacks.
  3. AUXCLICK_JS_CHECK: Navigation to untrusted origins can facilitate attacks. Thus it is recommend to limit the ability of a BrowserWindow and webview guest page to initiate new navigation flows. Middle-click events can be leverage to subvert the flow of the application.
  4. AUXCLICK_HTML_CHECK: Same as property 3.
  5. AVAILABLE_SECURITY_FIXES_GLOBAL_CHECK: Not using the latest safest version of Electron may expose the application to security risks.
  6. BLINK_FEATURES_JS_CHECK: Experimental features may introduce bugs and increase the application attack surface.
  7. BLINK_FEATURES_HTML_CHECK: Same as property 6.
  8. CERTIFICATE_ERROR_EVENT_JS_CHECK: TLS validation opt-out should not be used, as it makes possible to sniff and tamper the user’s traffic. If nodeIntegration is also enabled, an attacker can inject malicious JavaScript and compromise the user’s host.
  9. CERTIFICATE_VERIFY_PROC_JS_CHECK: Same as property 8.
  10. CONTEXT_ISOLATION_JS_CHECK: If contextIsolation is not used, malicious JS code can tamper JavaScript native functions as well as preload script code via prototype pollution.
  11. CUSTOM_ARGUMENTS_JS_CHECK: The use of additional command line arguments can increase the application attack surface, disable security features or influence the overall security posture. For example, if Electron’s debugging is enabled, Electron will listen for V8 debugger protocol messages on the specified port. An attacker could leverage the external debugger to subvert the application at runtime.
  12. CUSTOM_ARGUMENTS_JSON_CHECK: Same as property 11.
  13. CSP_GLOBAL_CHECK: CSP allows the server serving content to restrict and control the resources Electron can load for that given web page. https://example.com should be allowed to load scripts from the origins you defined while scripts from https://evil.attacker.com should not be allowed to run.
  14. DANGEROUS_FUNCTIONS_JS_CHECK: In a vulnerable application, a remote page could leverage functions such as insertCSSexecuteJavaScriptevalFunctionsetTimeoutsetInterval and setImmediate to subvert the flow of the application by injecting malicious CSS or JavaScript.
  15. ELECTRON_VERSION_JSON_CHECK: Older versions of the Electron framework may contain vulnerabilities, including nodeIntegration bypasses.
  16. EXPERIMENTAL_FEATURES_HTML_CHECK: Experimental feature flags such as experimentalFeaturesexperimentalCanvasFeatures may introduce bugs and increase the application attack surface.
  17. EXPERIMENTAL_FEATURES_JS_CHECK: Same as property 16.
  18. HTTP_RESOURCES_JS_CHECK: Electronegativity checks if nodeIntegration is enabled. If it is enabled, an attacker can inject malicious JavaScript and compromise the user’s host. This could lead to man-in-the-middle attacks.
  19. HTTP_RESOURCES_HTML_CHECK: Same as property 18.
  20. INSECURE_CONTENT_HTML_CHECK: HTTP, Mixed Content and TLS validation opt-out should not be used, as it makes possible to sniff and tamper the user’s traffic. If nodeIntegration is also enabled, an attacker can inject malicious JavaScript and compromise the user’s host.
  21. INSECURE_CONTENT_JS_CHECK: Same as property 20.
  22. LIMIT_NAVIGATION_JS_CHECK: Detects if on() for ‘will-navigate’ and ‘new-window’ events is used. This setting can be used to limit the exploitability of certain issues. Not enforcing navigation limits leaves the Electron application under full control to remote origins in case of accidental navigation.
  23. LIMIT_NAVIGATION_GLOBAL_CHECK: Missing navigation limits using .on ‘new-window’ and ‘will-navigate’ events.
  24. NODE_INTEGRATION_HTML_CHECK: If enabled, nodeIntegration allows JavaScript to leverage Node.js primitives and modules. This could lead to full remote system compromise if you are rendering untrusted content.
  25. NODE_INTEGRATION_ATTACH_EVENT_JS_CHECK: Disable nodeIntegration for untrusted origins
  26. NODE_INTEGRATION_JS_CHECK: If enabled, nodeIntegration allows JavaScript to leverage Node.js primitives and modules. This could lead to full remote system compromise if you are rendering untrusted content.
  27. OPEN_EXTERNAL_JS_CHECK: Improper use of openExternal can be leveraged to compromise the user’s host. Electron’s Shell provides powerful primitives that must be used with caution.
  28. PERMISSION_REQUEST_HANDLER_JS_CHECK: The setPermissionRequestHandler setting can be used to limit the exploitability of certain issues. Not enforcing custom checks for permission requests (e.g. media) leaves the Electron application under full control of the remote origin. For instance, a Cross-Site Scripting vulnerability can be used to access the browser media system and silently record audio/video. While browsers have implemented notification to inform the user that a remote site is capturing the webcam stream, Electron does not display any notification.
  29. PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK: Same as property 28.
  30. PRELOAD_JS_CHECK: Improper use of preload scripts can introduce nodeIntegration or sandbox bypasses, in addition to other vulnerabilities. If contextIsolation is not used, there is also the risk that malicious code may be able to tamper sensitive operations with prototype pollution attacks.
  31. PROTOCOL_HANDLER_JS_CHECK: The use of custom protocol handlers opens the application to vulnerabilities triggered by users clicking on custom links or arbitrary origins forcing the navigation to crafted links.
  32. SANDBOX_JS_CHECK: Even with nodeIntegration disabled, the current implementation of Electron does not completely mitigate all risks introduced by loading untrusted resources. As such, it is recommended to enable sandbox.
  33. SECURITY_WARNINGS_DISABLED_JS_CHECK: Detects if Electron’s security warnings have been disabled by the developers via JavaScript, which may hide the presence of misconfigurations or insecure patterns to the developers.
  34. SECURITY_WARNINGS_DISABLED_JSON_CHECK: Same as property 33.
  35. WEB_SECURITY_HTML_CHECK: When the disablewebsecurity Chromium flag is enabled, SOP is not enforced and mixed content is allowed (e.g. https page using JavaScript, CSS from http origins).
  36. WEB_SECURITY_JS_CHECK: Same as property 35.

Install Electronegativity:

Installing Electronegativity 1.3.0 is very easy! Just run:

$ npm install @doyensec/electronegativity -g

If you are interested in checking out the source code, check out the GitHub repository here.

This tool came to my rescue yet again today! If you remember, I had blogged about this tool in my older post titled – Ostinato: The Network Traffic Generator and Analyzer! As always, before using any tool I tried to update it and there it was – Ostinato 0.9. This update was released long ago,

You Might Also Like

Leave a Reply