Free Workshop: XSS and RCE in Desktop apps

How dangerous is XSS and RCE in Desktop apps? What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client. Do you know Modern Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors?

So, are you the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work? In short do you want to take your desktop app security auditing kung-fu to the next level? Join us for this 60-minute hacking session on March 11 @ 18:00 – 19:00 CET. We’re sure you’ll leave with a thirst for more!

This workshop is a prelude to the main course “Hacking Modern Desktop Apps: Master the Future of Attack Vectors“. A course ideal for Penetration Testers, Desktop app Developers and everybody interested in JavaScript/Node.js/Electron app security.

In this brief workshop we will explain what the course covers and give you a few lab samples covering the following topics:

  • Essential techniques to audit Electron applications
  • What XSS means in a desktop application
  • How to turn XSS into RCE in Modern apps
  • Attacking preload scripts
  • RCE via IPC

Moreover, attendees are provided with:

  • Lifetime access to a training portal
  • Vulnerable apps to practice
  • Guided exercise PDFs
  • Video recording explaining how to solve the exercises
  • Access to all future updates for Free

Finally, the free workshop will be followed by 2 x 4h live training sessions on March 16-17 @ 17:00 – 21:00 CET

Live Training: Hacking Modern Desktop Apps: Master the Future of Attack Vectors

Come and have fun with us! 🙂

XSS and RCE in Desktop apps

Audience level

By and large, from new to advanced, content should keep all skill levels happy

Presented by:

Abraham Aranguren: After 13 years in itsec and 20 in IT Abraham is now the CEO of A company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Moreover, a security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Previously senior penetration tester / team lead at Cure53 ( and Version 1 ( Creator of “Practical Web Defense” – a hands-on eLearnSecurity attack / defense course ( Additionally, OWASP OWTF project leader, an OWASP flagship project (

Finally, as a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. Also, he writes on Twitter as @7asecurity @7a_ @owtfp or Multiple presentations, pentest reports and recordings can be found at

For the most up-to-date information about upcoming training events, including free workshops, check this.