8000 GitHub - danMateer/electron-pentest: A penetration test methodology to be used in conjunction with relevant [OWASP WSTG - v4.2](https://owasp.org/www-project-web-security-testing-guide/v42/) on Electron desktop application assessments
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

danMateer/electron-pentest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
Allowed Navigation to Untrusted Origins.md
Allowed Navigation to Untrusted Origins.md
 
 
Chromium Experimental Features.md
Chromium Experimental Features.md
 
 
Chromium Web Security Override.md
Chromium Web Security Override.md
 
 
Clickjacking via Popups.md
Clickjacking via Popups.md
 
 
Code Execution from Untrusted Content.md
Code Execution from Untrusted Content.md
 
 
Improper Use of Preload Scripts.md
Improper Use of Preload Scripts.md
 
 
Insecure Communication.md
Insecure Communication.md
 
 
JavaScript CSS Injection.md
JavaScript CSS Injection.md
 
 
README.md
README.md
 
 
Sensitive Information Extraction.md
Sensitive Information Extraction.md
 
 
Unhandled Session Permission Requests from Remote Content.md
Unhandled Session Permission Requests from Remote Content.md
 
 
Unsafe Command Line Arguments.md
Unsafe Command Line Arguments.md
 
 
Unsafe Custom Protocol Handlers.md
Unsafe Custom Protocol Handlers.md
 
 
Unsandboxed Process Execution.md
Unsandboxed Process Execution.md
 
 
User Host Compromise.md
User Host Compromise.md
 
 

Repository files navigation

Election Desktop Application Penetration Test

Summary

A penetration test methodology to be used in conjunction with relevant OWASP WSTG - v4.2 on Electron desktop application assessments.

Based largely off of Luca Carettoni's Electron Security Checklist: A guide for developers and auditors

Prerequisits

A majority of these checks require decompiling the Electron application (see: Decompiling and repacking Electron Apps). Note that it may need to be deobfuscated, unminified.

Tooling

A majority of these checks can be conducted using Electronegativity.

Checks

  1. Sensitive Information Extraction
  2. Code Execution from Untrusted Content)
  3. Unsandboxed Process Execution
  4. Unsafe Command Line Arguments
  5. Improper Use of Preload Scripts
  6. Chromium Web Security Override
  7. Insecure Communication
  8. Chromium Experimental Features
  9. Allowed Navigation to Untrusted Origins
  10. Unhandled Session Permission Requests from Remote Content
  11. JavaScript, CSS Injection
  12. Clickjacking via Popups
  13. Unsafe Custom Protocol Handlers
  14. User Host Compromise

About

A penetration test methodology to be used in conjunction with relevant [OWASP WSTG - v4.2](https://owasp.org/www-project-web-security-testing-guide/v42/) on Electron desktop application assessments

Resources

Readme

Code of conduct

Code of conduct
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published
0