# XSS to RCE Electron Desktop Apps Electron is **based on Chromium**, but it is not a browser. Certain principles and security mechanisms implemented by modern browsers are not in place.\ You could see Electron like a local backend+frontend app where **NodeJS** is the **backend** and **chromium** is the **frontend**. In the source code of an Electron app, inside the `packet.json` you can find specified the `main.js` file where security configs ad set. ```json { "name": "standard-notes", "main": "./app/index.js", ``` Electron has 2 process types: * Main Process (has complete access to NodeJS) * Renderer Process (should have NodeJS restricted access for security reasons) ![](<../../../.gitbook/assets/image (307).png>) A **renderer process** will be a browser window loading a file: ```javascript const {BrowserWindow} = require('electron'); let win = new BrowserWindow(); //Open Renderer Process win.loadURL(`file://path/to/index.html`); ``` Settings of the **renderer process** can be **configured** in the **main process** inside the main.js file. Some of the configurations will **prevent the Electron application to get RCE** or other vulnerabilities if the **settings are correctly configured**. The desktop application might have access to the user’s device through Node APIs. The following two configurations are responsible for providing mechanisms to **prevent the application JavaScript from having direct access to the user’s device** and system level commands. * **`nodeIntegration`** - is `off` by default. If on, allows to access node features from the renderer process. * **`contextIsolation`** - is `on` by default. If on, main and renderer processes aren't isolated. * **`preload`** - empty by default. * **``**[**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform. Example of configuration: ```javascript const mainWindowOptions = { title: 'Discord', backgroundColor: getBackgroundColor(), width: DEFAULT_WIDTH, height: DEFAULT_HEIGHT, minWidth: MIN_WIDTH, minHeight: MIN_HEIGHT, transparent: false, frame: false, resizable: true, show: isVisible, webPreferences: { blinkFeatures: 'EnumerateDevices,AudioOutputDevices', nodeIntegration: false, contextIsolation: false preload: _path2.default.join(__dirname, 'mainScreenPreload.js'), nativeWindowOpen: true, enableRemoteModule: false, spellcheck: true } }; ``` Some **RCE payloads** from [here](https://7as.es/electron/nodeIntegration\_rce.txt): ```html Example Payloads (Windows): Example Payloads (Linux & MacOS): ``` ## RCE: XSS + nodeIntegration If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Node.js features easily just by calling the `require()`. For example, the way to execute the calc application on Windows is: ```html ``` ## RCE: preload The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**: ```javascript new BrowserWindow{ webPreferences: { nodeIntegration: false, preload: _path2.default.join(__dirname, 'perload.js'), } }); ``` Therefore, the script can export node-features to pages: {% code title="preload.js" %} ```javascript typeof require === 'function'; window.runCalc = function(){ require('child_process').exec('calc') }; ``` {% endcode %} {% code title="index.html" %} ```html
``` {% endcode %} {% hint style="info" %} **If `contextIsolation` is on, this won't work** {% endhint %} ## RCE: XSS + contextIsolation The _**contextIsolation**_ introduces the **separated contexts between the web page scripts and the JavaScript Electron's internal code** so that the JavaScript execution of each code does not affect each. This is a necessary feature to eliminate the possibility of RCE. If the contexts aren't isolated an attacker can: 1. Execute **arbitrary JavaScript in renderer** (XSS or navigation to external sites) 2. **Overwrite the built-in method** which is used in preload or Electron internal code to own function 3. **Trigger** the use of **overwritten function** 4. RCE? There are 2 places where built-int methods can be overwritten: In preload code or in Electron internal code: {% content-ref url="electron-contextisolation-rce-via-preload-code.md" %} [electron-contextisolation-rce-via-preload-code.md](electron-contextisolation-rce-via-preload-code.md) {% endcontent-ref %} {% content-ref url="electron-contextisolation-rce-via-electron-internal-code.md" %} [electron-contextisolation-rce-via-electron-internal-code.md](electron-contextisolation-rce-via-electron-internal-code.md) {% endcontent-ref %} {% content-ref url="electron-contextisolation-rce-via-ipc.md" %} [electron-contextisolation-rce-via-ipc.md](electron-contextisolation-rce-via-ipc.md) {% endcontent-ref %} ### Bypass click event If there are restrictions applied when you click a link you might be able to bypass them **doing a middle click** instead of a regular left click ```javascript window.addEventListener('click', (e) => { ``` ## Read Internal Files: XSS + contextIsolation If `contextIsolation` set to false you can try to use \