[B! Electron] ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ionis id:ionis

Electronã«é–¢ã™ã‚‹ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (9)

${{author_name}}$

{{author_name}} {{created}}

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

{{#following_bookmarks}}

${{author_name}}$

{{author_name}} {{created}}

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

{{/following_bookmarks}}

{{/is_wiped}}

Electron: Context Isolationã®æ¬ å¦‚ã‚’åˆ©ç”¨ã—ãŸä»»æ„ã‚³ãƒ¼ãƒ‰å®Ÿè¡Œ / Electron: Abusing the lack of context isolation - CureCon(ja)
ãƒ™ãƒ«ãƒªãƒ³ã§é–‹å‚¬ã•ã‚ŒãŸCure53ã®ã‚¤ãƒ™ãƒ³ãƒˆã€CureConã®è³‡æ–™ã§ã™ã€‚
ionis 2018/08/20
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

Electron
ãƒªãƒ³ã‚¯
Sheepl : Automating People for Red and Blue Tradecraft
LevelBlue Completes Acquisition of Trustwave to Form the World's Largest Pure-Play MSSP.Â Learn More
ionis 2018/05/16
Electron

è„†å¼±æ€§
ãƒªãƒ³ã‚¯
Exploiting Electron RCE in Exodus wallet | HackerNoon
While browsing Twitter Iâ€™ve noticed ElectronJS remote code execution vulnerability in protocol handler. That sounds severe. As stated in official description, for application to be vulnerable is enough to register itself as default handler for some protocol. I had one application based on Electron installed on my laptop that I was looking into some time agoâ€Šâ€”â€ŠExodus cryptocurrencies wallet. I knew
ionis 2018/01/30
CVE-2018-1000006

exploit

Electron

è„†å¼±æ€§

Windows
ãƒªãƒ³ã‚¯
Protocol Handler Vulnerability Fix | Electron
A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006. Affected Platformsâ€‹ Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable. Such apps can be affected regardless of how the proto
ionis 2018/01/30
CVE-2018-1000006

Electron

è„†å¼±æ€§

Windows
ãƒªãƒ³ã‚¯
DeNA Engineering - DeNAã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®ãƒãƒ¼ã‚¿ãƒ«ã‚µã‚¤ãƒˆ
æŠ€è¡“ã‚’æ´»ã‹ã—ã€æ–°ã—ã„ä¾¡å€¤ã‚’å‰µé€ ã™ã‚‹ DeNAã®ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã¯ã€æƒ³åƒã‚’è¶…ãˆã‚‹Delightã‚’å±Šã‘ã‚‹ãŸã‚ã«ä½•ãŒã§ãã‚‹ã‹ã‚’è€ƒãˆã€æŠ€è¡“åŠ›ã¨ç™ºæƒ³åŠ›ã§æ–°ã—ã„ä¾¡å€¤ã‚’ç”Ÿã¿å‡ºã—ã¦ã„ã¾ã™ã€‚ å¤šæ§˜ãªå°‚é–€æ€§ã‚’æŒã£ãŸã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãŒåˆ‡ç£‹ç¢ç£¨ã—ã€äº’ã„ã«åˆºæ¿€ã—åˆãˆã‚‹ç’°å¢ƒã‚„åˆ¶åº¦ãŒã•ã‚‰ãªã‚‹æˆé•·ã¸ã¨ã¤ãªã’ã¾ã™ã€‚
ionis 2016/04/28
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

Electron

*ã‚ã¨ã§èªã‚€
ãƒªãƒ³ã‚¯
https://utf-8.jp/public/2016/0328/shibuyaxss.pdf
ionis 2016/03/29
XSS

Electron

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

*ã‚ã¨ã§èªã‚€
ãƒªãƒ³ã‚¯
ãƒžãƒ«ãƒãƒ—ãƒ©ãƒƒãƒˆãƒ•ã‚©ãƒ¼ãƒ ã§å‹•ãã€ŒElectronã€ã¯æœ¬å½“ã«ä½¿ãˆã‚‹æŠ€è¡“ãªã®ã‹ï¼Ÿï½œCodeIQ MAGAZINE
2018å¹´4æœˆ25æ—¥ã‚’ã‚‚ã¡ã¾ã—ã¦ã€ ã€ŽCodeIQã€ã®ãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°è…•è©¦ã—ã‚µãƒ¼ãƒ“ã‚¹ã€å¹´åŽç¢ºç´„ã‚¹ã‚«ã‚¦ãƒˆã‚µãƒ¼ãƒ“ã‚¹ã¯ã€ IT ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®ãŸã‚ã®å¹´åŽç¢ºç´„ã‚¹ã‚«ã‚¦ãƒˆã‚µãƒ¼ãƒ“ã‚¹ã€Žmoffers by CodeIQã€https://moffers.jp/ ã¸ä¸€æœ¬åŒ–ã„ãŸã—ã¾ã—ãŸã€‚ ã“ã‚Œã¾ã§å¤šãã®IT ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®æ–¹ã«ã€ŽCodeIQã€ã‚’ã”åˆ©ç”¨ã„ãŸã ãã¾ã—ã¦ã€ æ”¹ã‚ã¦å¿ƒã‚ˆã‚Šæ·±ãå¾¡ç¤¼ç”³ã—ä¸Šã’ã¾ã™ã€‚ ã¾ãŸã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®ãŸã‚ã®Webãƒžã‚¬ã‚¸ãƒ³ã€ŒCodeIQ MAGAZINEã€ã¯ã€ ãƒªã‚¯ãƒŠãƒ“NEXTã‚¸ãƒ£ãƒ¼ãƒŠãƒ«( https://next.rikunabi.com/journal/ )ã«ä¸€éƒ¨ã®è¨˜äº‹ã®ç§»è¡Œã‚’äºˆå®šã—ã¦ãŠã‚Šã¾ã™ã€‚ ä»Šå¾Œã¯ã€Žmoffers by CodeIQã€ã«ã¦ã€ IT ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®çš†æ§˜ã®ã‚ˆã‚Šè‰¯ã„è»¢è·ã‚’ã‚µãƒãƒ¼ãƒˆã™ã‚‹ãŸã‚ã«ã€ã‚ˆã‚Šä¸€å±¤åŠªã‚ã¦ã¾ã„ã‚Šã¾ã™ã®ã§ã€ å¼•ãç¶šãã”æ„›é¡§ã®ã»ã©ä½•å’ã‚ˆã‚ã—ããŠé¡˜ã„ç”³ã—ä¸Šã’ã¾ã™ã€‚ ã¾ãŸã€Cod
ionis 2016/03/25
Electron

node.js
ãƒªãƒ³ã‚¯
Electronã§ã‚¢ãƒ—ãƒªã‚’æ›¸ãå ´åˆã¯ã€æ°—åˆã„ã¨æ ¹æ€§ã§XSSã‚’ç™ºç”Ÿã•ã›ãªã„ã‚ˆã†ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„ã€‚ - è‘‰ã£ã±æ—¥è¨˜
ãã®ã†ã¡ã‚‚ã†å°‘ã—ãã¡ã‚“ã¨æ›¸ãã¾ã™ãŒã€ã¨ã‚Šã‚ãˆãšæ™‚é–“ãŒãªã„ã®ã§çµè«–ã ã‘æ›¸ãã¨ã€ã‚¿ã‚¤ãƒˆãƒ«ãŒå…¨ã¦ã§Electronã§ã‚¢ãƒ—ãƒªã‚’æ›¸ãå ´åˆã¯æ°—åˆã„ã¨æ ¹æ€§ã§XSSã‚’ç™ºç”Ÿã•ã›ãªã„ã‚ˆã†ã«ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„ã€‚ ã“ã‚Œã¾ã§Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ä¸Šã§XSSãŒå˜åœ¨ã—ãŸã¨ã—ã¦ã‚‚ã€å½±éŸ¿ç¯„å›²ã¯ãã®Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®ä¸ã«ç•™ã¾ã‚‹ã®ã§ã€Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®æä¾›å´ãŒãã‚Œã‚’è¨±å®¹ã™ã‚‹ã®ã§ã‚ã‚Œã°XSSã®å˜åœ¨ã«ç›®ã‚’ã¤ã‚€ã‚‹ã“ã¨ã‚‚ã§ããŸã€‚ã—ã‹ã—ã€Electronã‚¢ãƒ—ãƒªã§DOM-based XSSãŒä¸€ã‹æ‰€ã§ã‚‚ç™ºç”Ÿã™ã‚‹ã¨ã€(ãŠãã‚‰ã)ç¢ºå®Ÿã«ä»»æ„ã‚³ãƒ¼ãƒ‰å®Ÿè¡Œã¸ã¨ã¤ãªãŒã‚Šã€åˆ©ç”¨è€…ã®PCã®(ãã®ãƒ¦ãƒ¼ã‚¶ãƒ¼æ¨©é™ã§ã®)å…¨æ©Ÿèƒ½ãŒæ”»æ’ƒè€…ã«ã‚ˆã£ã¦åˆ©ç”¨ã§ãã‚‹ã€‚ ãã®ãŸã‚ã€Electronã§ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚’ä½œæˆã™ã‚‹é–‹ç™ºè€…ã¯æ°—åˆã„ã¨æ ¹æ€§ã§XSSã‚’å®Œå…¨ã«ã¤ã¶ã•ãªã‘ã‚Œã°ãªã‚‰ãªã„ã€‚ nodeIntegration:falseã‚„Content-Security-Pol
ionis 2016/01/25
Electron

XSS

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£
ãƒªãƒ³ã‚¯
Electronã®webviewè¦ç´ ã§ã¯allowpopupså±žæ€§ã‚’ã¤ã‘ã¦ã¯ã„ã‘ãªã„ - è‘‰ã£ã±æ—¥è¨˜
Electronã‚’ä½¿ã£ã¦ãƒ–ãƒ©ã‚¦ã‚¶ã®ã‚ˆã†ãªã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚’ä½œã‚‹å ´åˆã«ã¯ webviewã‚¿ã‚°ãŒä½¿ç”¨ã•ã‚Œã‚‹ã€‚ä¾‹ãˆã°ã€ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³å†…ã«example.jpã®ã‚µã‚¤ãƒˆã‚’è¡¨ç¤ºã™ã‚‹ã«ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«HTMLã«è¨˜è¿°ã™ã‚‹ã€‚ <webview src="http://example.jp/"></webview> ã“ã“ã§ã€webviewã‚¿ã‚°ã«allowpopupså±žæ€§ã‚’ä»˜ä¸Žã™ã‚‹ã¨ã€example.jpã‚µã‚¤ãƒˆå†…ã®ã‚³ãƒ¼ãƒ‰ã‹ã‚‰window.openç‰ã‚’ä½¿ã£ã¦æ–°ãŸã«ã‚¦ã‚£ãƒ³ãƒ‰ã‚¦ã‚’é–‹ãã“ã¨ãŒã§ãã‚‹ã‚ˆã†ã«ãªã‚‹ã€‚ã“ã®ã¨ãã€example.jpã«æ‚ªæ„ãŒã‚ã‚Šä»¥ä¸‹ã®ã‚ˆã†ãªã‚³ãƒ¼ãƒ‰ãŒå«ã¾ã‚Œã¦ã„ã‚‹ã¨ã™ã‚‹ã€‚ if( typeof require === "undefined" ) window.open( 'http://example.jp/', '', 'nodeIntegration=1'); else require( "chi
ionis 2016/01/25
Electron

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

webView
ãƒªãƒ³ã‚¯
1

ãŠçŸ¥ã‚‰ã›

ã‚‚ã£ã¨èªã‚€

å…¬å¼Twitter

@HatenaBookmark
ãƒªãƒªãƒ¼ã‚¹ã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“ã‚¹ã®ãŠçŸ¥ã‚‰ã›
@hatebu
æœ€æ–°ã®äººæ°—ã‚¨ãƒ³ãƒˆãƒªãƒ¼ã®é…ä¿¡

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

jæ¬¡ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

kå‰ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

lã‚ã¨ã§èªã‚€

eã‚³ãƒ¡ãƒ³ãƒˆä¸€è¦§ã‚’é–‹ã

oãƒšãƒ¼ã‚¸ã‚’é–‹ã

è¨å®šã‚’å¤‰æ›´ã—ã¾ã—ãŸx