{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,4]],"date-time":"2026-04-04T16:39:47Z","timestamp":1775320787238,"version":"3.50.1"},"reference-count":39,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2018,12,17]],"date-time":"2018-12-17T00:00:00Z","timestamp":1545004800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Informatics"],"abstract":"<jats:p>Writing desktop applications in JavaScript offers developers the opportunity to create cross-platform applications with cutting-edge capabilities. However, in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime\u2014an increasingly popular server-side technology. By bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. This paper also exposes fifteen highly popular Electron applications and demonstrates that two-thirds of applications were found to be using known vulnerable elements with high CVSS (Common Vulnerability Scoring System) scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed.<\/jats:p>","DOI":"10.3390\/informatics5040046","type":"journal-article","created":{"date-parts":[[2018,12,18]],"date-time":"2018-12-18T02:15:59Z","timestamp":1545099359000},"page":"46","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis"],"prefix":"10.3390","volume":"5","author":[{"given":"Adam","family":"Rapley","sequence":"first","affiliation":[{"name":"School of Design and Informatics, Abertay University, Dundee DD1 1HG, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1849-5788","authenticated-orcid":false,"given":"Xavier","family":"Bellekens","sequence":"additional","affiliation":[{"name":"School of Design and Informatics, Abertay University, Dundee DD1 1HG, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1082-1174","authenticated-orcid":false,"given":"Lynsay A.","family":"Shepherd","sequence":"additional","affiliation":[{"name":"School of Design and Informatics, Abertay University, Dundee DD1 1HG, UK"}]},{"given":"Colin","family":"McLean","sequence":"additional","affiliation":[{"name":"School of Design and Informatics, Abertay University, Dundee DD1 1HG, UK"}]}],"member":"1968","published-online":{"date-parts":[[2018,12,17]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MIC.2010.145","article-title":"Node.js: Using JavaScript to Build High-Performance Network Programs","volume":"14","author":"Tilkov","year":"2010","journal-title":"IEEE Internet Comput."},{"key":"ref_2","unstructured":"Meyerovich, L.A., Zhu, D., and Livshits, B. (2010, January 20). Secure cooperative sharing of JavaScript, browser, and physical resources. Proceedings of the Workshop on Web 2.0 Security and Privacy, Oakland, CA, USA."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Carter, B. (2014, January 3\u20135). HTML Educational Node. js System (HENS): An Applied System for Web Development. Proceedings of the 2014 Annual Global Online Conference on Information and Computer Technology (GOCICT), Louisville, KY, USA.","DOI":"10.1109\/GOCICT.2014.25"},{"key":"ref_4","unstructured":"Freingruber, R. (2017, April 23). Abusing NVIDIA\u2019s node.js to Bypass Application Whitelisting. Available online: http:\/\/blog.sec-consult.com\/2017\/04\/application-whitelisting-application.html."},{"key":"ref_5","unstructured":"GitHub (2017, April 06). Apps Built on Electron. Available online: https:\/\/electron.atom.io\/apps\/."},{"key":"ref_6","unstructured":"Schlueter, I.Z. (2017, February 15). kik, left-pad, and npm. Available online: http:\/\/blog.npmjs.org\/post\/141577284765\/kik-left-pad-and-npm."},{"key":"ref_7","unstructured":"Stack Overflow (2017, April 09). Developer Survey Results. Available online: http:\/\/stackoverflow.com\/insights\/survey\/2016."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Richards, G., Hammer, C., Burg, B., and Vitek, J. (2011). The Eval That Men Do, Springer.","DOI":"10.1007\/978-3-642-22655-7_4"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Jensen, S.H., Jonsson, P.A., and M\u00f8ller, A. (2012, January 15\u201320). Remedying the eval that men do. Proceedings of the 2012 International Symposium on Software Testing and Analysis, Minneapolis, MN, USA.","DOI":"10.1145\/2338965.2336758"},{"key":"ref_10","unstructured":"The OWASP Foundation (2017, April 07). OWASP Top 10\u20142013. Available online: https:\/\/www.owasp.org\/images\/f\/f8\/OWASP_Top_10_-_2013.pdf."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Binnie, R., McLean, C., Seeam, A., and Bellekens, X. (2016, January 3\u20136). X-Secure: Protecting users from big bad wolves. Proceedings of the 2016 IEEE International Conference on Emerging Technologies and Innovative Business Practices for the Transformation of Societies (EmergiTech), Balaclava, Mauritius.","DOI":"10.1109\/EmergiTech.2016.7737330"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"760","DOI":"10.3390\/fi6040760","article-title":"Reducing Risky Security Behaviours: Utilising Affective Feedback to Educate Users","volume":"6","author":"Shepherd","year":"2014","journal-title":"Future Internet"},{"key":"ref_13","unstructured":"Joyent (2017, March 06). About Node.js. Available online: https:\/\/nodejs.org\/en\/about\/."},{"key":"ref_14","unstructured":"Eloff, E., and Torstensson, D. (2012). An Investigation into the Applicability of Node.js as a Platform for Web Services. [Ph.D. Thesis, Department of Computer and Information Science, Link\u00f6pings Universitet]."},{"key":"ref_15","unstructured":"Node.js (2017, April 10). How Uber Uses Node.js to Scale Their Business, No Date. Available online: https:\/\/nodejs.org\/static\/documents\/casestudies\/Nodejs-at-Uber.pdf."},{"key":"ref_16","unstructured":"Trott, K. (2017, April 10). Node.js Interactive Conference\u2014Node.js at Netflix. Available online: https:\/\/www.youtube.com\/watch?v=p74282nDMX8&feature=youtu.be&t=12m11s."},{"key":"ref_17","unstructured":"Ojamaa, A., and D\u00fc\u00fcna, K. (2012, January 10\u201312). Security assessment of Node. js platform. Proceedings of the 2012 International Conference for Internet Technology and Secured Transactions, London, UK."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Staicu, C.A., Pradel, M., and Livshits, B. (2018, January 18\u201321). Understanding and Automatically Preventing Injection Attacks on NODE. JS. Proceedings of the Network and Distributed Systems Security (NDSS) Symposium 2018, San Diego, CA, USA.","DOI":"10.14722\/ndss.2018.23071"},{"key":"ref_19","unstructured":"GitHub (2017, April 09). Electron Documentation\u2014About Electron. Available online: https:\/\/electron.atom.io\/docs\/tutorial\/about\/."},{"key":"ref_20","unstructured":"Andrew Goode (2018, November 17). Dealing with Problematic Dependencies in a Restricted Network Environment. Available online: https:\/\/blog.npmjs.org\/post\/145724408060\/dealing-with-problematic-dependencies-in-a."},{"key":"ref_21","unstructured":"Kerr, D. (2017, March 10). As It Stands\u2014Electron Security. Available online: http:\/\/blog.scottlogic.com\/2016\/03\/09\/As-It-Stands-Electron-Security.html."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. (2012, January 16\u201318). You Are What You Include: Large-scale Evaluation of Remote Javascript Inclusions. Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS \u201912, Raleigh, NC, USA.","DOI":"10.1145\/2382196.2382274"},{"key":"ref_23","unstructured":"npm (2017, April 10). npm-scripts\u2014How npm Handles the \u201cScripts\u201d Field. Available online: https:\/\/docs.npmjs.com\/misc\/scripts."},{"key":"ref_24","unstructured":"Tschacher, N.P. (2016). Typosquatting in Programming Language Package Managers. [Bachelor Thesis, Department of Informatics, University of Hamburg]. Available online: http:\/\/incolumitas.com\/data\/thesis.pdf."},{"key":"ref_25","unstructured":"Baldwin, A. (2017, April 10). A Malicious Module on npm. Available online: https:\/\/blog.liftsecurity.io\/2015\/01\/27\/a-malicious-module-on-npm\/."},{"key":"ref_26","unstructured":"Jeronimo, J. (2017, April 10). rimrafall\u2014npm Install Could Be Dangerous. Available online: https:\/\/github.com\/joaojeronimo\/rimrafall."},{"key":"ref_27","unstructured":"Pfretzschner, B., and ben Othmane, L. (September, January 29). Identification of Dependency-based Attacks on Node. js. Proceedings of the 12th International Conference on Availability, Reliability and Security, Reggio Calabria, Italy."},{"key":"ref_28","unstructured":"Nigro, D.L. (2017, April 10). Pulling Apart a WordPress Hack, Unobfuscating Its Code. Available online: https:\/\/dan.cx\/2011\/11\/pulling-apart-wordpress-hack."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Williams, C. (2017, April 12). How One Developer Just Broke Node, Babel and Thousands of Projects in 11 Lines of JavaScript. Available online: https:\/\/www.theregister.co.uk\/2016\/03\/23\/npm_left_pad_chaos\/.","DOI":"10.1049\/et.2017.0156"},{"key":"ref_30","unstructured":"GitHub (2017, April 12). Electron Documentation\u2014Electron Versioning. Available online: https:\/\/electron.atom.io\/docs\/tutorial\/electron-versioning\/."},{"key":"ref_31","unstructured":"Node Security (2017, April 24). Advisories. Available online: https:\/\/nodesecurity.io\/advisories."},{"key":"ref_32","unstructured":"Schechter, E. (2017, April 26). Moving Towards a More Secure Web. Available online: https:\/\/security.googleblog.com\/2016\/09\/moving-towards-more-secure-web.html."},{"key":"ref_33","unstructured":"Electronic Frontier Foundation (2017, April 26). Certbot. Available online: https:\/\/certbot.eff.org\/."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Kirda, E., Kruegel, C., Vigna, G., and Jovanovic, N. (2006, January 23\u201327). Noxes: A client-side solution for mitigating cross-site scripting attacks. Proceedings of the 2006 ACM Symposium on Applied Computing, Dijon, France.","DOI":"10.1145\/1141277.1141357"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"59","DOI":"10.1016\/j.amc.2016.03.026","article-title":"Context-oriented web application protection model","volume":"285","author":"Prokhorenko","year":"2016","journal-title":"Appl. Math. Comput."},{"key":"ref_36","unstructured":"lostfictions (2017, April 12). [Security] Investigate Switching to Brave\u2019s Fork of Electron-Prebuilt?. Available online: https:\/\/github.com\/jiahaog\/nativefier\/issues\/288."},{"key":"ref_37","unstructured":"de Arruda, T. (2017, April 06). Allow Electron Renderers to Be Run Inside Chromium Sandbox. Available online: https:\/\/github.com\/electron\/electron\/issues\/6712."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Catuogno, L., and Galdi, C. (2015, January 8\u201310). Ensuring Application Integrity: A Survey on Techniques and Tools. Proceedings of the 2015 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, Santa Catarina, Brazil.","DOI":"10.1109\/IMIS.2015.31"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"De Groef, W., Massacci, F., and Piessens, F. (2014, January 8\u201312). NodeSentry: Least-privilege Library Integration for Server-side JavaScript. Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC \u201914, New Orleans, LA, USA.","DOI":"10.1145\/2664243.2664276"}],"container-title":["Informatics"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2227-9709\/5\/4\/46\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,4]],"date-time":"2026-04-04T15:35:58Z","timestamp":1775316958000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2227-9709\/5\/4\/46"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,12,17]]},"references-count":39,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2018,12]]}},"alternative-id":["informatics5040046"],"URL":"https:\/\/doi.org\/10.3390\/informatics5040046","relation":{},"ISSN":["2227-9709"],"issn-type":[{"value":"2227-9709","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,12,17]]}}}