Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
It leverages AST and DOM parsing to look for security-relevant configurations, as described in the "Electron Security Checklist - A Guide for Developers and Auditors" whitepaper.
Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.
If you're interested in Electron Security, have a look at our BlackHat 2017 research Electronegativity - A Study of Electron Security and keep an eye on the Doyensec's blog.
Major releases are pushed to NPM and can be simply installed using:
$ npm install @doyensec/electronegativity -g
$ electronegativity -h
|-V||output the version number|
|-i, --input||input (directory, .js, .htm, .asar)|
|-o, --output||save the results to a file in csv or sarif format|
|-h, --help||output usage information|
$ electronegativity -i /path/to/electron/appUsing electronegativity to look for issues in an
asararchive and saving the results in a csv file:
node --max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csv
Electronegativity was made possible thanks to the work of Claudio Merloni, Ibram Marzouk, Jaroslav LobaÄevski and many other contributors.
This work has been sponsored by Doyensec LLC.