Presented at
CarolinaCon Online 2 (2022) Virtual,
April 29, 2022, 9 a.m.
(120 minutes).
Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.
This workshop covers the following topics:
* Essential techniques to audit Electron applications
* What XSS means in a desktop application
* How to turn XSS into RCE in JavaScript apps
* Attacking preload scripts
* RCE via IPC
All action, no fluff JavaScript Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This workshop will teach you how to review JavaScript desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other desktop app platform. Ideal for Penetration Testers, Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security. Attendants will be provided with lifetime access to practice.
Presenters:
Similar Presentations: