Möchten Sie mit Ihrem Team teilnehmen? Profitieren Sie von unseren Gruppenrabatten! Schreiben Sie an events@dpunkt.de

Practical Modern Desktop App Attacks By Example

What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.

What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.

This talk is a comprehensive review of interesting security flaws discovered over the years in many Electron apps: A practical walkthrough that covers anonymized juicy findings from reports that could not be public, interesting vulnerabilities in open source apps with strong security requirements, and more.


Knowledge of any of the following is not required but will be an advantage: Web security, Desktop app security, JavaScript security, Electron Security, Node.js Security, Static analysis, Dynamic analysis, File storage, Crypto, XSS, SSRF, SQLi, RCE, Data exfiltration


This talk aims to increase awareness about modern web and desktop app attack vectors and how security auditors and developers can use these to make the world a safer place.




Abraham Aranguren
Abraham Aranguren has worked in the IT industry for 20 years (13 years in itsec) and is now the CEO of 7ASecurity, a company specializing in penetration testing of web and mobile apps, infrastructure, code reviews and training. He writes on Twitter as @7asecurity @7a_, @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications


Palo Alto Networks
WIBU Systems


Sie möchten über die heise devSec
auf dem Laufenden gehalten werden?