Skip to content

Commit

Permalink
GITBOOK-4441: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Dec 8, 2024
1 parent db44d24 commit ff16354
Showing 1 changed file with 13 additions and 9 deletions.
22 changes: 13 additions & 9 deletions pentesting-web/browser-extension-pentesting-methodology/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,15 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Basic Information

Browser extensions are written in JavaScript and loaded by the browser in the background. It has its [DOM](https://www.w3schools.com/js/js\_htmldom.asp) but can interact with other sites' DOMs. This means that it may compromise other sites' confidentiality, integrity, and availability (CIA).
Browser extensions are written in JavaScript and loaded by the browser in the background. It has its [DOM](https://www.w3schools.com/js/js_htmldom.asp) but can interact with other sites' DOMs. This means that it may compromise other sites' confidentiality, integrity, and availability (CIA).

## Main Components

Expand Down Expand Up @@ -86,7 +86,7 @@ Example:

### `content_scripts`

Content scripts are **loaded** whenever the user **navigates to a matching page**, in our case any page matching the **`https://example.com/*`** expression and not matching the **`*://*/*/business*`** regex. They execute **like the page’s own scripts** and have arbitrary access to the page’s [Document Object Model (DOM)](https://developer.mozilla.org/en-US/docs/Web/API/Document\_Object\_Model).
Content scripts are **loaded** whenever the user **navigates to a matching page**, in our case any page matching the **`https://example.com/*`** expression and not matching the **`*://*/*/business*`** regex. They execute **like the page’s own scripts** and have arbitrary access to the page’s [Document Object Model (DOM)](https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model).

```json
"content_scripts": [
Expand Down Expand Up @@ -125,7 +125,7 @@ chrome.storage.local.get("message", result =>
A message is sent to the extension pages by the content script when this button is clicked, through the utilization of the [**runtime.sendMessage() API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/sendMessage). This is due to the content script's limitation in direct access to APIs, with `storage` being among the few exceptions. For functionalities beyond these exceptions, messages are sent to extension pages which content scripts can communicate with.

{% hint style="warning" %}
Depending on the browser, the capabilities of the content script may vary slightly. For Chromium-based browsers, the capabilities list is available in the [Chrome Developers documentation](https://developer.chrome.com/docs/extensions/mv3/content\_scripts/#capabilities), and for Firefox, the [MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content\_scripts#webextension\_apis) serves as the primary source.\
Depending on the browser, the capabilities of the content script may vary slightly. For Chromium-based browsers, the capabilities list is available in the [Chrome Developers documentation](https://developer.chrome.com/docs/extensions/mv3/content_scripts/#capabilities), and for Firefox, the [MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#webextension_apis) serves as the primary source.\
It is also noteworthy that content scripts have the ability to communicate with background scripts, enabling them to perform actions and relay responses back.
{% endhint %}

Expand Down Expand Up @@ -305,7 +305,7 @@ As browser extensions can be so **privileged**, a malicious one or one being com
Check how these settings work and how they could get abused in:

{% content-ref url="browext-permissions-and-host_permissions.md" %}
[browext-permissions-and-host\_permissions.md](browext-permissions-and-host\_permissions.md)
[browext-permissions-and-host\_permissions.md](browext-permissions-and-host_permissions.md)
{% endcontent-ref %}

### `content_security_policy`
Expand Down Expand Up @@ -729,14 +729,18 @@ Even though Browser Extensions have a **limited attack surface**, some of them m
* [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **memory**
* [ ] **Sensitive information shouldn't be stored** inside the **file system unprotected**

## Browser Extension Risks

* The app [https://crxaminer.tech/](https://crxaminer.tech/) analyzes some data like the permissions browser extension requests to give a risk level of using the browser extension.

## Tools

### [**Tarnish**](https://thehackerblog.com/tarnish/)

* Pulls any Chrome extension from a provided Chrome webstore link.
* [**manifest.json**](https://developer.chrome.com/extensions/manifest) **viewer**: simply displays a JSON-prettified version of the extension’s manifest.
* **Fingerprint Analysis**: Detection of [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) and automatic generation of Chrome extension fingerprinting JavaScript.
* **Potential Clickjacking Analysis**: Detection of extension HTML pages with the [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) directive set. These are potentially vulnerable to clickjacking depending on the purpose of the pages.
* **Fingerprint Analysis**: Detection of [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web_accessible_resources) and automatic generation of Chrome extension fingerprinting JavaScript.
* **Potential Clickjacking Analysis**: Detection of extension HTML pages with the [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web_accessible_resources) directive set. These are potentially vulnerable to clickjacking depending on the purpose of the pages.
* **Permission Warning(s) viewer**: which shows a list of all the Chrome permission prompt warnings which will be displayed upon a user attempting to install the extension.
* **Dangerous Function(s)**: shows the location of dangerous functions which could potentially be exploited by an attacker (e.g. functions such as innerHTML, chrome.tabs.executeScript).
* **Entry Point(s)**: shows where the extension takes in user/external input. This is useful for understanding an extension’s surface area and looking for potential points to send maliciously-crafted data to the extension.
Expand All @@ -747,7 +751,7 @@ Even though Browser Extensions have a **limited attack surface**, some of them m
* The path of the alerted file.
* The full Chrome extension URI of the alerted file.
* The type of file it is, such as a Background Page script, Content Script, Browser Action, etc.
* If the vulnerable line is in a JavaScript file, the paths of all of the pages where it is included as well as these page’s type, and [web\_accessible\_resource](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) status.
* If the vulnerable line is in a JavaScript file, the paths of all of the pages where it is included as well as these page’s type, and [web\_accessible\_resource](https://developer.chrome.com/extensions/manifest/web_accessible_resources) status.
* **Content Security Policy (CSP) analyzer and bypass checker**: This will point out weaknesses in your extension’s CSP and will also illuminate any potential ways to bypass your CSP due to whitelisted CDNs, etc.
* **Known Vulnerable Libraries**: This uses [Retire.js](https://retirejs.github.io/retire.js/) to check for any usage of known-vulnerable JavaScript libraries.
* Download extension and formatted versions.
Expand Down Expand Up @@ -782,7 +786,7 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Expand Down

0 comments on commit ff16354

Please sign in to comment.