This list aims to cover Electron.js security related topics.
Feel free to contribute by opening a PR if you think something is missing to this list!
- "Electronegativity - A Study of Electron Security", Luca Carettoni, BlackHat USA 2017 & video
- "MarkDoom: How I Hacked Every Major IDE in 2 Weeks", Matt Austin, APPSEC Cali 2018 & video
- "Building a secure web browser in Electron", Yan @bcrypt, Electron Meetup 2/2018
- "Electron: Abusing the lack of context isolation", Masato Kinugawa, CureCon 2018
- "Only An Electron Away From Code Execution", Silvia Väli, Hack.lu 2018
- "Preloading Insecurity In Your Electron", Luca Carettoni, BlackHat Asia 2019 & video
- "app setAsDefaultRCE Client: Electron, scheme handlers and stealthy security patches", Juho Nurminen, ZeroNights 2019 and video
- "Full Steam Ahead: Remotely Executing Code in Modern Desktop Application Architectures", Thomas Shadwell, INFILTRATE 2019
- "Democratizing Electron.js Security", Luca Carettoni, Covalence 2020 SF & video
- "Remote Code Execution on Electron Applications", PwnFunction
- Electronegativity, a static code analysis tool to find vulnerabilities in Electron-based applications code & slides
- Devtron, an Electron DevTools extension
- Fiddle, to quickly create and play with small Electron experiments across different Electron versions
- "Electron Security Checklist", Luca Carettoni, 2017
- "Analysis of Electron-based Applications to Identify Xss Flaws Escalating to Code Execution in Open-source Applications", Silvia Väli, 2017
- "Hacking Mattermost #2: Year of Node.js on the Desktop", Andreas Lindh
- "Subverting Electron Apps via Insecure Preload", Doyensec Blog
- "CVE-2018-15685 - Electron WebPreferences Remote Code Execution Finding", Matt Austin, PoC
- "Remote Code Execution in Rocket.Chat Desktop", Matt Austin
- "Remote Code Execution in Wordpress Desktop", Matt Austin
- "URL Spoof / Brave Shield Bypass", Matt Austin
- "[Simplenote for Windows] Client RCE via External JavaScript Inclusion leveraging Electron", @ysx
- "XSS in Steam react chat client", @zemnmez
- "Security bug in Google Hangouts Chat desktop application – how to make Open Redirect great again", Michał Bentkowski
- "Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access", Gal Weizman
- "signal-desktop HTML tag injection" and "signal-desktop HTML tag injection variant 2", Ivan A. Barrera Oro
- "Chromium vulnerability affecting Mist Browser Beta", @evertonfraga, Mist Team
- "Exploiting Electron RCE in Exodus wallet", Tomas Lažauninkas
- "Signature Validation Bypass Leading to RCE In Electron-Updater", Doyensec Blog
- "Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)", Doyensec Blog
- "Modern Alchemy: Turning XSS into RCE", Doyensec Blog
- "Security, Native Capabilities, and Your Responsibility", Electron's Documentation
- "Instrumenting Electron Apps for Security Testing", Doyensec Blog
- "Reasonably Secure Electron", Joe DeMesy & code
- "Top 5 Day Two: Electron Boogaloo - A case for technodiversity", Vincent Lee
- "As It Stands - Electron Security" and "An update on Electron Security" by Dean Kerr