Hacking JavaScript Desktop Apps with XSS and RCE

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. 

JavaScript Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This workshop will teach you how to review JavaScript desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other desktop app platform. Ideal for Penetration Testers, Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security. 

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace 

In this brief workshop we will give you a few lab samples covering the following topics:

  • Essential techniques to audit Electron applications 

  • What XSS means in a desktop application 

  • How to turn XSS into RCE in JavaScript apps 

  • Attacking preload scripts 

  • RCE via IPC 

Get FREE access to the slides, recording and vulnerable apps to practice with: https://7asecurity.com/free-workshop-desktop-apps 

Attendants will be provided with lifetime access to practice the attack vectors covered. This includes: Lifetime access to a training portal, vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises. 

 
 

Abraham Aranguren

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 and Version 1. Creator of “Practical Web Defense”, a hands-on eLearnSecurity attack / defense course, OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

Previous
Previous

Practical Mobile App Attacks By Example

Next
Next

Practical CodeQL for Auditors