Electronegativity – Tool To Identify Misconfigurations And Security Anti-Patterns In Electron Applications

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.It leverages AST and DOM parsing to look for security-relevant configurations, as described in the “Electron Security Checklist – A Guide for Developers and Auditors" whitepaper.Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.If you’re interested in Electron Security, have a look at our BlackHat 2017 research Electronegativity – A Study of Electron Security and keep an eye on the Doyensec’s blog.InstallationMajor releases are pushed to NPM and can be simply installed using:$ npm install @doyensec/electronegativity -gUsage$ electronegativity -h Option Description -V output the version number -i, –input input (directory, .js, .htm, .asar) -o, –output save the results to a file in csv or sarif format -h, –help output usage information Using electronegativity to look for issues in a directory containing an Electron app:$ electronegativity -i /path/to/electron/appUsing electronegativity to look for issues in an asar archive and saving the results in a csv file:$ electronegativity -i /path/to/asar/archive -o result.csvNote: if you’re running into the Fatal Error "JavaScript heap out of memory", you can run node using node –max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csvCreditsElectronegativity was made possible thanks to the work of Claudio Merloni, Ibram Marzouk, Jaroslav Lobačevski and many other contributors.This work has been sponsored by Doyensec LLC.Download Electronegativity

Link: http://feedproxy.google.com/~r/PentestTools/~3/zp7KJ0Mg0-A/electronegativity-tool-to-identify.html