Part 3:1 — Electron-Based App Security Testing Fundamentals - Extract & Analyze .asar
文章介绍了如何提取和分析Electron应用中的.asar文件,并推荐使用NPX工具避免全局安装。通过grep或Visual Studio Code搜索敏感信息如凭证和令牌。 2025-5-20 04:39:24 Author: infosecwriteups.com(查看原文) 阅读量:3 收藏

Common Method for Extracting and Analyzing .asar Files

YoKo Kho

بسم الله الرحمن الرحيم

This marks the third part of a series of articles exploring the fundamentals of security testing for Electron-based applications.

In this part, we will explore the importance of extracting and analyzing .asar files to gather useful information. As a note, we split this part into two sections to emphasize the information in each article. In the second section later, we will discuss a unique case study we have encountered.

If you are just beginning to read this article, in the previous part, we explained the essential processes of installing and detecting Electron-based applications, including how to detect their presence on various operating systems — both manually and automatically.

After understanding the common process of installing and identifying Electron-based applications on an operating system, we’ll now explore an overview of the common steps involved in extracting Electron applications to gather useful information for testing.

4.1. .Asar File Extraction Tools

In the previous chapter, we mentioned that the .asar file serves as an archive containing all JavaScript, HTML, CSS, and other resources used within the Electron-Based Application. From this, the question may arise: “is it possible for us to extract the .asar file in question?”. Well, the answer is: “yes”.

So, how to do it? Technically, there are various ways to do this, among which is by using a tool called asar (matching its file extension) and NPX. However, we personally prefer using NPX.

4.1.1. Why NPX?

Essentially, NPX (short for Node Package eXecute) is an NPM package runner that allows us to execute commands from an NPM package without having to install it globally or locally.

Figure 1 Simple Explanation of NPX

Many users opt for NPX for several efficient reasons, namely avoiding the installation of packages in our operating system (which may only be used temporarily), thus keeping our operating system clean. And on the other hand, this also helps to avoid “package pollution” issues where unused packages can fill up storage or even cause conflicts with other packages.

So, when we occasionally need to run the asar command, using NPX is better. With NPX, the asar package is downloaded and executed temporarily. This allows us to use the command without explicitly installing it, making it convenient for one-time or occasional use.

4.2. The Extraction

Let’s say we’ve successfully identified the presence of Electron-based applications on our OS (let’s use the Electron application we created in Chapter 2), and we’ve found the .asar file of that application (named app.asar).

Figure 2 Search for .asar File

So the next step is to execute NPX. This can be done using the following command:

npx asar extract app.asar app-extract
Figure 3 Extraction Process

As a simple note:

  • app-extract is the directory where the extracted results of the app.asar file will be placed.
  • This NPX command can be executed after installing Node.js — as we did in Chapter 2.

After this extraction process is successful, we will then be able to access the resources that were previously bundled during the build process.

Figure 4 Extraction Results

4.3. The Importance of .asar Extraction

As we all know, one of the common issues in software development is the embedding of sensitive information (such as credentials) hardcoded into the code, whether intentionally or unintentionally. As reported in the GitGuardian State of Secrets Sprawl 2024, >1 out of 10 code authors exposed a secret, while 7 commits out of every 1,000 revealed at least one secret.

Is there anything specific regarding the issue of embedding credentials in Electron-based applications? The answer is “Yes”. In 2021, a researcher named augustozanellato discovered a GitHub Personal Access Token in the .asar file that belonged to one of Shopify’s employees. In short, after analysis, Shopify found that this token had almost full access to sensitive data, which could be used to modify and even cause significant downtime disruptions.

Figure 5 Summary by the Researcher

So based on this data and fact, the process of extracting .asar file followed by analyzing its contents is undoubtedly a wise approach. We will never know what sensitive information is embedded within it, and how it might be exploited.

4.3.1. The Keywords

Perhaps questions may arise from some readers, such as specific aspects that may need to be searched for, along with the keywords that can be used.

Well, in general, what we’re looking for in this context shares similarities with the search for sensitive information within a source code, such as credentials, tokens, keys, URLs & paths (including endpoints), IP addresses, and the like.

And regarding keywords, we can utilize one of the comprehensive lists ever compiled by EdOverflow here (although it may seem to have been created a while ago, the keywords listed within it are still valid to this day).

Wait, didn’t you mention URLs earlier? Can’t we find the presence of URLs using subdomain enumeration tools? Yes, correct. However, here we cannot overlook certain possibilities, such as:

  • The presence of authentication processes via URLs, which generally cannot be obtained without specific access.
  • The presence of staging URLs that may have a different domain from the main domain. Please note that the existence of vulnerabilities in the staging area that could lead to accessing production data is highly possible. (We will discuss this on a separate occasion, InshaAllah).

4.3.2. Performing Keyword Search

There are various methods available for searching for sensitive information within source code. However, to make it simple, we will focus on two commonly used tools, which are command line tools (specifically utilizing grep), and GUI tools (such as Visual Studio Code).

4.3.2.1. Keyword Search with Command Line Tools — “grep”

Grep is an important command in both Linux and Unix environments. Its main purpose is to search for text and strings within a specified file. Essentially, the grep command looks through the provided file to find lines that match the specified strings or words. Regarded as one of the fundamental commands, it provides valuable utility for testers seeking to identify sensitive information within the file.

To conduct a keyword search using grep, we can navigate to the directory containing the extracted .asar files and utilize the following command:

grep -r keyword /path/to/extracted/asar

This command will search for the specified keyword recursively within the directory and display any matching lines, enabling testers to quickly identify potential areas of concern.

Figure 6 Sample of Search Result with grep

4.3.2.2. Keyword Search with GUI Tools — “Visual Studio Code”

For those who prefer a more visual approach to keyword searching, GUI tools like Visual Studio Code (VS Code) also provide powerful search capabilities. By opening the project directory in VS Code and using the built-in search functionality, we can conduct comprehensive searches across the entire codebase.

Figure 7 Sample of Search Result with VS Code

Note: No matter which tools we use, it’s necessary to carefully monitor every output produced by each keyword we input.

Well, here we are at the final part of the topic. In the next section, we will explore a unique case study we have encountered.


文章来源: https://infosecwriteups.com/electron-based-app-security-testing-fundamentals-part-3-1st-section-extract-analyze-asar-3a769be12fc4?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh