Hacking Modern Desktop apps with XSS and RCE

Abstract

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.

Modern Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This workshop will teach you how to review modern desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other desktop app platform. Ideal for Penetration Testers, Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace

In this brief workshop we will give you a few lab samples covering the following topics:

  • Essential techniques to audit Electron applications
  • What XSS means in a desktop application
  • How to turn XSS into RCE in Modern apps
  • Attacking preload scripts
  • RCE via IPC

Get FREE access to the slides, recording and vulnerable apps to practice with: https://7asecurity.com/free-workshop-desktop-apps

Attendants will be provided with training portal access to practice the attack vectors covered. This includes: Lifetime access to a training portal, vulnerable apps to practice, guided exercise PDFs and video recording explaining how to solve the exercises.


Speakers Information


Abraham Aranguren

After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1 (www.version1.com). Creator of “Practical Web Defense” - a hands-on eLearnSecurity attack / defense course (www.elearnsecurity.com/PWD), OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications





View Full Schedule

Subscribe to Our Mailing List

Join our community mailing list for updated on conference annoucements, important dates and discussions.