Zero-day .NET and Nvidia GFE Vulnerabilities Explained

Presented at CarolinaCon Online 2 (2022) Virtual, April 29, 2022, 9 a.m. (120 minutes)

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. This workshop covers the following topics: * Essential techniques to audit Electron applications * What XSS means in a desktop application * How to turn XSS into RCE in JavaScript apps * Attacking preload scripts * RCE via IPC All action, no fluff JavaScript Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This workshop will teach you how to review JavaScript desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other desktop app platform. Ideal for Penetration Testers, Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security. Attendants will be provided with lifetime access to practice.

Presenters:

• 7aSecurity

Similar Presentations:

• Black Hat USA 2022 / ElectroVolt: Pwning Popular Desktop Apps While Uncovering New Attack Surface on Electron
• DEF CON 30 (2022) / ElectroVolt: Pwning popular desktop apps while uncovering new attack surface on Electron
• Black Hat USA 2017 / Electronegativity - A Study of Electron Security