• Stars
    star
    953
  • Rank 47,957 (Top 1.0 %)
  • Language
    JavaScript
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications.

Electronegativity

What's Electronegativity?

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.

It leverages AST and DOM parsing to look for security-relevant configurations, as described in the "Electron Security Checklist - A Guide for Developers and Auditors" whitepaper.

Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.

If you're interested in Electron Security, have a look at our BlackHat 2017 research Electronegativity - A Study of Electron Security and keep an eye on the Doyensec's blog.

Electronegativity Demo

ElectroNG Improved Version

If you need something more powerful or updated, an improved SAST tool based on Electronegativity is available as the result of many years of applied R&D from Doyensec. At the end of 2020, we sat down to create a project roadmap and created a development team to work on what is now ElectroNG. You can read more some of the major improvements over the OSS version in a recent blog post.

Installation

Major releases are pushed to NPM and can be simply installed using:

$ npm install @doyensec/electronegativity -g

Usage

CLI

$ electronegativity -h
Option Description
-V output the version number
-i, --input input (directory, .js, .html, .asar)
-l, --checks only run the specified checks, passed in csv format
-x, --exclude-checks skip the specified checks list, passed in csv format
-s, --severity only return findings with the specified level of severity or above
-c, --confidence only return findings with the specified level of confidence or above
-o, --output <filename[.csv or .sarif]> save the results to a file in csv or sarif format
-r, --relative show relative path for files
-v, --verbose show the description for the findings, defaults to true
-u, --upgrade run Electron upgrade checks, eg -u 7..8 to check upgrade from Electron 7 to 8
-e, --electron-version assume the set Electron version, overriding the detected one, eg -e 7.0.0 to treat as using Electron 7
-p, --parser-plugins specify additional parser plugins to use separated by commas, e.g. -p optionalChaining
-h, --help output usage information

Using electronegativity to look for issues in a directory containing an Electron app:

$ electronegativity -i /path/to/electron/app

Using electronegativity to look for issues in an asar archive and saving the results in a csv file:

$ electronegativity -i /path/to/asar/archive -o result.csv

Using electronegativity when upgrading from one version of Electron to another to find breaking changes:

$ electronegativity -i /path/to/electron/app -v -u 7..8

Note: if you're running into the Fatal Error "JavaScript heap out of memory", you can run node using node --max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csv

Ignoring Lines or Files

Electronegativity lets you disable individual checks using eng-disable comments. For example, if you want a specific check to ignore a line of code, you can disable it as follows:

const res = eval(safeVariable); /* eng-disable DANGEROUS_FUNCTIONS_JS_CHECK */
<webview src="https://doyensec.com/" enableblinkfeatures="DangerousFeature"></webview> <!-- eng-disable BLINK_FEATURES_HTML_CHECK -->

Any eng-disable inline comment (// eng-disable, /* eng-disable */, <!-- eng-disable -->) will disable the specified check for just that line. It is also possible to provide multiple check names using both their snake case IDs (DANGEROUS_FUNCTIONS_JS_CHECK) or their construct names (dangerousFunctionsJSCheck):

shell.openExternal(eval(safeVar)); /* eng-disable OPEN_EXTERNAL_JS_CHECK DANGEROUS_FUNCTIONS_JS_CHECK */

If you put an eng-disable directive before any code at the top of a .js or .html file, that will disable the passed checks for the entire file.

Note on Global Checks and eng-disable annotations

Before v1.9.0 Global Checks couldn't be disabled using code annotations. If you are still using an old version, use -x CLI argument to manually disable a list of checks instead (e.g. -x LimitNavigationJsCheck,PermissionRequestHandlerJsCheck,CSPGlobalCheck). Note that using annotations may not be applicable for some higher-level checks such as CSP_GLOBAL_CHECK or AVAILABLE_SECURITY_FIXES_GLOBAL_CHECK. For those cases, you might want to use the -x flag to exclude specific checks from your scan.

CI/CD

Electronegativity Action may run as part of your GitHub CI/CD pipeline to get "Code scanning alerts":

Code scanning alerts

Programmatically

You can also use electronegativity programmatically, using similar options as for the CLI:

const run = require('@doyensec/electronegativity')
// or: import run from '@doyensec/electronegativity';

run({
  // input (directory, .js, .html, .asar)
  input: '/path/to/electron/app',
  // save the results to a file in csv or sarif format (optional)
  output: '/path/for/output/file',
  // true to save output as sarif, false to save as csv (optional)
  isSarif: false,
  // only run the specified checks (optional)
  customScan: ['dangerousfunctionsjscheck', 'remotemodulejscheck'],
  // only return findings with the specified level of severity or above (optional)
  severitySet: 'high',
  // only return findings with the specified level of confidence or above (optional)
  confidenceSet: 'certain',
  // show relative path for files (optional)
  isRelative: false,
  // run Electron upgrade checks, eg -u 7..8 to check upgrade from Electron 7 to 8 (optional)
  electronUpgrade: '7..8',
  // assume the set Electron version, overriding the detected one
  electronVersion: '5.0.0',
  // use additional parser plugins
  parserPlugins: ['optionalChaining']
})
    .then(result => console.log(result))
    .catch(err => console.error(err));

The result contains the number of global and atomic checks, any errors encountered while parsing and an array of the issues found, like this:

{
  globalChecks: 6,
  atomicChecks: 36,
  errors: [
    {
      file: 'ts/main/main.ts',
      sample: 'shell.openExternal(url);',
      location: { line: 328, column: 4 },
      id: 'OPEN_EXTERNAL_JS_CHECK',
      description: 'Review the use of openExternal',
      properties: undefined,
      severity: { value: 2, name: 'MEDIUM', format: [Function: format] },
      confidence: { value: 0, name: 'TENTATIVE', format: [Function: format] },
      manualReview: true,
      shortenedURL: 'https://git.io/JeuMC'
    },
    {
      file: 'ts/main/main.ts',
      sample: 'const popup = new BrowserWindow(options);',
      location: { line: 340, column: 18 },
      id: 'CONTEXT_ISOLATION_JS_CHECK',
      description: 'Review the use of the contextIsolation option',
      properties: undefined,
      severity: { value: 3, name: 'HIGH', format: [Function: format] },
      confidence: { value: 1, name: 'FIRM', format: [Function: format] },
      manualReview: false,
      shortenedURL: 'https://git.io/Jeu1p'
    }
  ]
}

Contributing

If you're thinking about contributing to this project, please take a look at our CONTRIBUTING.md.

Credits

Electronegativity was made possible thanks to the work of many contributors.

This project has been sponsored by Doyensec LLC.

alt text

Engage us to break your Electron.js application!

More Repositories

1

inql

InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.
Python
1,510
star
2

regexploit

Find regular expressions which are vulnerable to ReDoS (Regular Expression Denial of Service)
Python
779
star
3

awesome-electronjs-hacking

A curated list of awesome resources about Electron.js (in)security
558
star
4

burpdeveltraining

Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"
Java
345
star
5

wsrepl

WebSocket REPL for pentesters
Python
194
star
6

Session-Hijacking-Visual-Exploitation

Session Hijacking Visual Exploitation
JavaScript
189
star
7

PESD-Exporter-Extension

PESD (Proxy Enriched Sequence Diagrams) Exporter converts Burp Suite's proxy traffic into interactive diagrams
HTML
94
star
8

ajpfuzzer

A command-line fuzzer for the Apache JServ Protocol (ajp13)
Java
91
star
9

safeurl

A Server Side Request Forgery (SSRF) protection library. Made with πŸ–€ by Doyensec LLC.
Go
89
star
10

CSPTBurpExtension

CSPT is an open-source Burp Suite extension to find and exploit Client-Side Path Traversal.
Java
79
star
11

Prototype-Pollution-Gadgets-Finder

Python
73
star
12

StandardizedImageProcessingTest

A test suite built with Mocha/Chai to test for behavioral differences between image libraries for the web
JavaScript
68
star
13

PoiEx

🌐 Visualize and explore IaC βœ’οΈ Create and share notes in VS Code 🀝 Sync notes and findings in real-time with friends
TypeScript
68
star
14

GQLSpection

GQLSpection - parses GraphQL introspection schema and generates possible queries
Python
64
star
15

HopperTheme

Doyensec theme for the Hopper Disassembler - chill and functional for long RE nights
55
star
16

oidc-ssrf

An Evil OIDC Server
Go
49
star
17

cloudsec-tidbits

Blogpost series showcasing interesting cloud - web app security bugs
HCL
44
star
18

confuser

Dependency Confusion Security Testing Tool
Python
39
star
19

vbox-fuzz

Companion to the "Introduction to VirtualBox security research" Blog Post
C++
29
star
20

CVE-2022-39299_PoC_Generator

A Simple CVE-2022-39299 PoC exploit generator to bypass authentication in SAML SSO Integrations using vulnerable versions of passport-saml
Python
17
star
21

VSCode_PoC_Oct2019

Proof of Concept for a VSCode Python Extension Code Execution Vulnerability
Python
16
star
22

r2pickledec

Pickle decompiler plugin for Radare2
C
14
star
23

imagemagick-security-policy-evaluator

The ImageMagick Security Policy Evaluator allows developers and security experts to check if an XML Security Policy is hardened against a wide set of malicious attacks. It assists with the process of reviewing such policies, which is usually a manual task, and helps identify the best practices for ImageMagick deployments.
JavaScript
14
star
24

webext_boilerplate

Web extension boilerplate files for web application testers.
JavaScript
7
star
25

db-race-conditions-playground

Database Race Condition Playground. Made with 🧑 by Doyensec LLC.
JavaScript
6
star
26

ThereAreBugsEverywhere

Doyensec Wallpapers - ThereAreBugsEverywhere Theme
5
star
27

libajp13

AJPv1.3 Java Library
Java
4
star
28

wallet-info

A web service providing Ethereum Dapp information. Made with πŸ–€ by Doyensec LLC.
Go
4
star
29

SoloKeys-2020Q1-fw-downgrade-PoC

SoloKeys firmware downgrade proof of concept
Python
3
star
30

libressl-portable

C
1
star