Pentesting Electron applications
By Mohammed Oosman - July 21, 2019
History of ELECTRON Applications
What are Electron applications?
Electron is an open source project maintained by GitHub and an active community of contributors.
Why use Electron?
When it comes to application development for the desktop/system environment, we basically use C++, C# and VB for the development in case of windows OS.
For Mac OS, We have the "Cocoa" layer, which includes all the technologies we require to create the application-user interface. The "Media" layer has all the tools and technologies required for the Media operations which include the 2D and 3D animations, Photo and Video editing.
For Linux environment, we make use of python along with some of the libraries for the development.
So electron helps us overcome this differences by helping the developer make cross-platforms applications with ease.
Now coming to the most important part, How to pen-test Electron applications.
Pentesting ELECTRON Applications
So some time back, I was directed to perform pentest on a desktop application. “Well, let the game begin” were the phrases that were running through the mind. Happily, set up a proxy in burp trying to intercept the requests made by the application and what happened next was something unexpected, guess what?, I was not able to intercept the request that the application was making to the server.
Yup, that was the exact question going through my mind that day.
I searched all the possible things in internet, thinking that I am missing some step to intercept request.
Finally after trying everything possible, came to know from the development team that the application was developed in electron framework. LoL, yeah I know that was really stupid of me.
So application developed in electron framework uses chromiuim to communicate to the server. So, it is sort of dedicated browser only for that particular application and not like the traditional thick client that we are used to perform pen-test.
The methodology used to intercept the requests of the electron based desktop applications is a bit different but simple. Let us have a look of how to do it:
Step 1: Identify the important pointers that help us identify the electron based desktop applications:
Right click on the exe which you are testing and go to the location where the exe is present:
LICENSE.electron is one of the files that are pointers to prove that the application you are testing is an electron based application.
If we traverse to the resources folder we find the .asar files that completely confirm that the application under test uses electron framework.
What is .asar file?
An asar archive is a simple tar-like format that concatenates files into a single file. Electron can read arbitrary files from it without unpacking the whole file.
Step 2: Intercepting the request:
The interception part is slightly different, we need to ignore the certificate error and set up the proxy server which is burp in our case.
Open up command prompt in the same file location where the exe is present and write the following command:
Application location >Application.exe --args \ --proxy-server=localhost:8081 \ —ignore-certificate-errors
Note:Note: There should be no instance of application running. Upon executing the above command the application opens up where we are telling it that all the request has to go through port 8081 of localhost that is burp in our case and ignore the certificate errors if any.
Also make sure, burp has listener set up at 8081 and listening only to it to avoid confusion in the incoming traffic.
After executing the command in the command line, the desired application opens up with specified condition.
Voila!, there you go, finally we are able to intercept the traffic in burp now.
Now we can carry out the general pen-test methodology that we follow to test web application and check out attacks like SQL Injection, PE, Sensitive information retrieval etc.
Apart from the general penetration testing procedure that we follow, we have an audit tool offered through node.js known as npm audit that looks up for vulnerabilities based on the version of the electron framework used by the application and the code.
One more interesting part of this audit tool is that it has the capability of fixing the issues which is offered as one of the options (which of course we pen-testers would not want to do.
In order to make use of this tool we have to make the npm utility available. That can be done by installing the node.js that can be found here.
Post download, let’s check if npm is successfully installed: by issuing the following command:
So we can see the different commands available for this utility, but the most interesting command of our interest is audit
For npm audit command to run successfully it requires package.json file of the electron application which can be found packaged in app.asar file. Therefore, we need to extract it.
Now then, to continue with the audit part, firstly we have to extract the app.asar file present in the resources folder of the application location.
.asar archives are used for packaging applications based on the Electron framework.
.asar archive can be extracted through a utility available through 7z that needs to be installed and follow the steps mentioned in the readme file. The utility can be found here.
Note:Note: some Electron app developers may create encrypted .asar archives. You cannot access the contents of such archives unless you know the specific encryption method.
Let’s extract the app.asar archive:
Once the extraction is done, we are going to open the command prompt in the file location and run the npm audit command.
There you go, it seems there are code level issues in the application. One more interesting thing that we can find here is it even tells us the command through which we can resolve the issue.
So that’s it about this article. Hope you really enjoyed it and learnt something in this. Kindly share this knowledge as this would be helpful for someone somewhere, till then happy reading!