29. Feb 2024

Electron Proxy Injection

When analyzing Electron apps, an HTTP proxy can be very helpful. Most apps, however, do not offer nice GUI options or CLI arguments to specify a proxy. In this case, you need to force the proxy into the application. This page is mainly a dump of stuff I came across and not super curated. I don’t know in all cases which one worked and which didn’t. I’ve you have more detailed feedback or knowledge on those methods, feel free to contact me and I’ll update this list.

Without Modifications #

Using the environment variables http_proxy and http_proxy:

export http_proxy=""
export https_proxy=""

Using proxychains↗:

# install proxychains
# configure your http proxy in /etc/proxychains4.conf
proxychains -q /path/to/app

There is a Windows version of proxychains called proxychains-windows↗. This app only supports SOCKS5 proxies as a target. Using projectdiscovery/proxify↗ we can tunnel this into Burp. Install the certificate generated by Burp and proxify into the TrustStore before proceeding.

# launch proxify with a upstream http proxy
proxify -http-proxy

# adjust the proxychains config in %USERPROFILE%\.proxychains\proxychains.conf
# launch the app with proxychains
proxychains -q .\path\to\app

Unpack and Repack Asar #

You’ll need to unpack and repack the asar file found in your Electron directory. Here is a simple Dockerfile:

FROM node:21-alpine

RUN npm install --engine-strict -g asar

USER node

CMD ["-h"]
# build
docker build -t asar .

# bash function as a wrapper for the container
asar() {
    if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then
        echo "Usage: \n  asar extract app.asar outdir\n  asar pack indir app.asar"

    if [ "$1" = "extract" ]; then
        docker run --rm -v $(pwd):/src asar extract "/src/$2" "/src/$3"

    if [ "$1" = "pack" ]; then
        docker run --rm -v $(pwd):/src asar pack "/src/$2" "/src/$3"

Environment Variables #

Set those somewhere in your JavaScript that gets launched via Electron:

process.env.HTTP_PROXY = 'http://yourproxy:port';
process.env.HTTPS_PROXY = 'http://yourproxy:port';

webPreferences() #

Inside BrowserWindow() there are webPreferences. They are documented here↗.

webPreferences: {
    devTools: true,
    nodeIntegration: true,
    sandbox: false,
    webSecurity: false,
    allowRunningInsecureContent: true,

webContents.session.setProxy() #

Using BrowserWindow() it’s also possible to set a proxy before the main loadURL() is called:


const proxyRule = "http=;https=";
BrowserWindow().webContents.session.setProxy({ proxyRules: proxyRule }, function () {

session.defaultSession.setProxy() #

Also, just after imports you can specify a proxy for the session and hook on app.on() to disable certificate checks:

const proxyRule = "http=;https=";
session.defaultSession.setProxy({ proxyRules: proxyRule });

// Ignore SSL certificate errors
app.on('certificate-error', (event, webContents, url, error, certificate, callback) => {

DevTools #

Some programs show you a menu bar when pressing ALT. From there, Chrome DevTools can be enabled. Otherwise, add this to the source code:

// Open Devtools. Requires devTools: true in webPreferences
BrowserWindow().webContents.openDevTools({ mode: 'bottom' });
// Enable the menu bar which can toggle the dev tools

Inspect/Debug Mode #

Electron apps can be debugged using Google Chrome. For this, the app needs to be launched with --inspect or --inspect-brk. In earlier versions, those flags were called --debug and --debug-brk. Once launched, open a Google Chrome browser and visit chrome://inspect/#devices. There you should be able to connect to the debug instance over a websocket.

Table of Contents