Damn Vulnerable Electron App (DVEA) is a deliberately vulnerable ElectronJS application for learning and testing Electron-specific security issues. It is designed for developers, security engineers, and trainers.
DVEA includes realistic, intentionally insecure implementations of common Electron vulnerabilities:
- Open Redirect (deep link abuse)
- Renderer XSS
- XSS: No Privileged APIs Exposed
- XSS: Overprivileged ContextBridge
- XSS to RCE (Direct, main window)
- Insecure File Write (IPC Abuse)
- openExternal Abuse (Protocol Handling)
All vulnerabilities are accessible from the main menu. Each has a dedicated page with a guide, security checklist, and example payloads.
Pre-built binaries for Linux (Debian) are available from the GitHub releases page.
For macOS and Windows, please build the application from source (see below).
git clone https://github.com/njmulsqb/DVEA
cd DVEA
npm install
npm run startAll documentation and walkthroughs are now provided inline within the app UI for each vulnerability demo.
Please see CONTRIBUTING.md for guidelines on how to contribute to DVEA.