Pentesting Electron applications

Image
History of ELECTRON Applications

Electron was founded by Cheng Zhao, during the development of Atom a cross-platform text editor released in July 2013. It was made open source, developed, and supported by GitHub using C++, JavaScript, Objective C, and Python. It was intended to make cross-platform development easier for Atom creation.

What are Electron applications?

Electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.

A typical Electron application uses HTML, CSS, JavaScript, and Node.js on top of the Chromium engine for development.

Electron is an open source project maintained by GitHub and an active community of contributors.

Why use Electron?

When it comes to application development for the desktop/system environment, we basically use C++, C# and VB for the development in case of windows OS.

For Mac OS, We have the "Cocoa" layer, which includes all the technologies we require to create the application-user interface. The "Media" layer has all the tools and technologies required for the Media operations which include the 2D and 3D animations, Photo and Video editing.

For Linux environment, we make use of python along with some of the libraries for the development.

So electron helps us overcome this differences by helping the developer make cross-platforms applications with ease.

Now coming to the most important part, How to pen-test Electron applications.

Pentesting ELECTRON Applications

So some time back, I was directed to perform pentest on a desktop application. “Well, let the game begin” were the phrases that were running through the mind. Happily, set up a proxy in burp trying to intercept the requests made by the application and what happened next was something unexpected, guess what?, I was not able to intercept the request that the application was making to the server.

Image

Yup, that was the exact question going through my mind that day.

I searched all the possible things in internet, thinking that I am missing some step to intercept request.

Finally after trying everything possible, came to know from the development team that the application was developed in electron framework. LoL, yeah I know that was really stupid of me.

Image

So application developed in electron framework uses chromiuim to communicate to the server. So, it is sort of dedicated browser only for that particular application and not like the traditional thick client that we are used to perform pen-test.

The methodology used to intercept the requests of the electron based desktop applications is a bit different but simple. Let us have a look of how to do it:

Step 1: Identify the important pointers that help us identify the electron based desktop applications:

Right click on the exe which you are testing and go to the location where the exe is present:

Image
Image
Image

LICENSE.electron is one of the files that are pointers to prove that the application you are testing is an electron based application.

If we traverse to the resources folder we find the .asar files that completely confirm that the application under test uses electron framework.

What is .asar file?

An asar archive is a simple tar-like format that concatenates files into a single file. Electron can read arbitrary files from it without unpacking the whole file.

Step 2: Intercepting the request:

The interception part is slightly different, we need to ignore the certificate error and set up the proxy server which is burp in our case.

Open up command prompt in the same file location where the exe is present and write the following command:

Image

Application location >Application.exe --args \ --proxy-server=localhost:8081 \ —ignore-certificate-errors

Note:Note: There should be no instance of application running. Upon executing the above command the application opens up where we are telling it that all the request has to go through port 8081 of localhost that is burp in our case and ignore the certificate errors if any.

Also make sure, burp has listener set up at 8081 and listening only to it to avoid confusion in the incoming traffic.

Image

After executing the command in the command line, the desired application opens up with specified condition.

Image

Voila!, there you go, finally we are able to intercept the traffic in burp now.

Image

Now we can carry out the general pen-test methodology that we follow to test web application and check out attacks like SQL Injection, PE, Sensitive information retrieval etc.

Apart from the general penetration testing procedure that we follow, we have an audit tool offered through node.js known as npm audit that looks up for vulnerabilities based on the version of the electron framework used by the application and the code.

One more interesting part of this audit tool is that it has the capability of fixing the issues which is offered as one of the options (which of course we pen-testers would not want to do.

In order to make use of this tool we have to make the npm utility available. That can be done by installing the node.js that can be found here.

Post download, let’s check if npm is successfully installed: by issuing the following command:

Image

So we can see the different commands available for this utility, but the most interesting command of our interest is audit

For npm audit command to run successfully it requires package.json file of the electron application which can be found packaged in app.asar file. Therefore, we need to extract it.

Now then, to continue with the audit part, firstly we have to extract the app.asar file present in the resources folder of the application location.

.asar archives are used for packaging applications based on the Electron framework.

.asar archive can be extracted through a utility available through 7z that needs to be installed and follow the steps mentioned in the readme file. The utility can be found here.

Note:Note: some Electron app developers may create encrypted .asar archives. You cannot access the contents of such archives unless you know the specific encryption method.

Let’s extract the app.asar archive:

Image

Once the extraction is done, we are going to open the command prompt in the file location and run the npm audit command.

Image

There you go, it seems there are code level issues in the application. One more interesting thing that we can find here is it even tells us the command through which we can resolve the issue.

So that’s it about this article. Hope you really enjoyed it and learnt something in this. Kindly share this knowledge as this would be helpful for someone somewhere, till then happy reading!

RELATED ARTICLES

Image

4G LTE attacks

The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging.

READ MORE
Image

Wifi Security Protocols

In today’s world Wi-Fi has become the essential thing in our daily routine. The wireless networks are also not secure in this digital age.

READ MORE