Electron is a pretty recent framework for building desktop applications and there are not many tools that deal with the security part either. There is a electronjs security checklist, providing guidelines for building secure applications, but there is no tool per-se – atleast none I know of! Electronegativity changes this. This post describes the open source tool that was disclosed at Black Hat 2017, but only recently released in January this year.
Electronegativity is a tool to identify mis-configurations and security anti-patterns in Electron-based applications. This open source tool leverages AST and DOM parsing to look for security relevant configuration. It supports the following “atomic” or “global” check types that work respectively on three types of application resources:
- JS (using a combination of Esprima, Babel, TypeScript ESTree)
- HTML (using Cheerio)
- JSON (using the native
Every check has an importance and accuracy attribute which helps you in determining the importance of each finding. Electronegativity performs checks for the following properties and the reason why they are important:
- AFFINITY_GLOBAL_CHECK: Improper use of
affinityproperty can cause the unwanted share of
- AUXCLICK_JS_CHECK: Navigation to untrusted origins can facilitate attacks. Thus it is recommend to limit the ability of a
webviewguest page to initiate new navigation flows. Middle-click events can be leverage to subvert the flow of the application.
- AUXCLICK_HTML_CHECK: Same as property 3.
- AVAILABLE_SECURITY_FIXES_GLOBAL_CHECK: Not using the latest safest version of Electron may expose the application to security risks.
- BLINK_FEATURES_JS_CHECK: Experimental features may introduce bugs and increase the application attack surface.
- BLINK_FEATURES_HTML_CHECK: Same as property 6.
- CERTIFICATE_ERROR_EVENT_JS_CHECK: TLS validation opt-out should not be used, as it makes possible to sniff and tamper the user’s traffic. If
- CERTIFICATE_VERIFY_PROC_JS_CHECK: Same as property 8.
- CONTEXT_ISOLATION_JS_CHECK: If
- CUSTOM_ARGUMENTS_JS_CHECK: The use of additional command line arguments can increase the application attack surface, disable security features or influence the overall security posture. For example, if Electron’s debugging is enabled, Electron will listen for V8 debugger protocol messages on the specified port. An attacker could leverage the external debugger to subvert the application at runtime.
- CUSTOM_ARGUMENTS_JSON_CHECK: Same as property 11.
- CSP_GLOBAL_CHECK: CSP allows the server serving content to restrict and control the resources Electron can load for that given web page.
https://example.comshould be allowed to load scripts from the origins you defined while scripts from
https://evil.attacker.comshould not be allowed to run.
- DANGEROUS_FUNCTIONS_JS_CHECK: In a vulnerable application, a remote page could leverage functions such as
- ELECTRON_VERSION_JSON_CHECK: Older versions of the Electron framework may contain vulnerabilities, including
- EXPERIMENTAL_FEATURES_HTML_CHECK: Experimental feature flags such as
experimentalCanvasFeaturesmay introduce bugs and increase the application attack surface.
- EXPERIMENTAL_FEATURES_JS_CHECK: Same as property 16.
- HTTP_RESOURCES_JS_CHECK: Electronegativity checks if
- HTTP_RESOURCES_HTML_CHECK: Same as property 18.
- INSECURE_CONTENT_HTML_CHECK: HTTP, Mixed Content and TLS validation opt-out should not be used, as it makes possible to sniff and tamper the user’s traffic. If
- INSECURE_CONTENT_JS_CHECK: Same as property 20.
- LIMIT_NAVIGATION_JS_CHECK: Detects if
on()for ‘will-navigate’ and ‘new-window’ events is used. This setting can be used to limit the exploitability of certain issues. Not enforcing navigation limits leaves the Electron application under full control to remote origins in case of accidental navigation.
- LIMIT_NAVIGATION_GLOBAL_CHECK: Missing navigation limits using
.on‘new-window’ and ‘will-navigate’ events.
- NODE_INTEGRATION_HTML_CHECK: If enabled,
- NODE_INTEGRATION_ATTACH_EVENT_JS_CHECK: Disable
nodeIntegrationfor untrusted origins
- NODE_INTEGRATION_JS_CHECK: If enabled,
- OPEN_EXTERNAL_JS_CHECK: Improper use of
openExternalcan be leveraged to compromise the user’s host. Electron’s Shell provides powerful primitives that must be used with caution.
- PERMISSION_REQUEST_HANDLER_JS_CHECK: The
setPermissionRequestHandlersetting can be used to limit the exploitability of certain issues. Not enforcing custom checks for permission requests (e.g. media) leaves the Electron application under full control of the remote origin. For instance, a Cross-Site Scripting vulnerability can be used to access the browser media system and silently record audio/video. While browsers have implemented notification to inform the user that a remote site is capturing the webcam stream, Electron does not display any notification.
- PERMISSION_REQUEST_HANDLER_GLOBAL_CHECK: Same as property 28.
- PRELOAD_JS_CHECK: Improper use of preload scripts can introduce nodeIntegration or sandbox bypasses, in addition to other vulnerabilities. If
contextIsolationis not used, there is also the risk that malicious code may be able to tamper sensitive operations with prototype pollution attacks.
- PROTOCOL_HANDLER_JS_CHECK: The use of custom protocol handlers opens the application to vulnerabilities triggered by users clicking on custom links or arbitrary origins forcing the navigation to crafted links.
- SANDBOX_JS_CHECK: Even with
nodeIntegrationdisabled, the current implementation of Electron does not completely mitigate all risks introduced by loading untrusted resources. As such, it is recommended to enable
- SECURITY_WARNINGS_DISABLED_JSON_CHECK: Same as property 33.
- WEB_SECURITY_HTML_CHECK: When the
- WEB_SECURITY_JS_CHECK: Same as property 35.
Installing Electronegativity 1.3.0 is very easy! Just run:
$ npm install @doyensec/electronegativity -g
If you are interested in checking out the source code, check out the GitHub repository here.
This tool came to my rescue yet again today! If you remember, I had blogged about this tool in my older post titled – Ostinato: The Network Traffic Generator and Analyzer! As always, before using any tool I tried to update it and there it was – Ostinato 0.9. This update was released long ago,