#@ck3r
  • Welcome
  • Administrator
    • ActiveDirectory
      • Methodology
    • LDAP
    • Kerberos
  • HTB_CTF
    • It's Oops PM
  • 🕸️ Pentesting Web
    • Web Vulnerabilities Methodology
      • Reflecting Techniques - PoCs and Polygloths CheatSheet
        • Web Vulns List
    • 2FA/MFA/OTP Bypass
    • Account Takeover
    • Browser Extension Pentesting Methodology
      • BrowExt - ClickJacking
      • BrowExt - permissions & host_permissions
      • BrowExt - XSS Example
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
      • Cache Poisoning via URL discrepancies
      • Cache Poisoning to DoS
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Client Side Path Traversal
    • Command Injection
    • Content Security Policy (CSP) Bypass
    • Cookies Hacking
      • Cookie Tossing
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • CSRF (Cross Site Request Forgery)
  • Dangling Markup - HTML scriptless injection
  • Dependency Confusion
  • Deserialization
    • NodeJS - __proto__ & prototype Pollution
      • Client Side Prototype Pollution
      • Express Prototype Pollution Gadgets
      • Prototype Pollution to RCE
    • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    • Exploiting __VIEWSTATE without knowing the secrets
    • Python Yaml Deserialization
    • JNDI - Java Naming and Directory Interface & Log4Shell
    • Ruby Class Pollution
  • Page 1
Powered by GitBook
On this page
  • Basic Information
  • Abusing permissions and host_permissions
  • Prevention
  • References
  1. 🕸️ Pentesting Web
  2. Browser Extension Pentesting Methodology

BrowExt - permissions & host_permissions

PreviousBrowExt - ClickJackingNextBrowExt - XSS Example

Last updated 3 months ago

Permissions are defined in the extension's manifest.json file using the permissions property and allow access to almost anything a browser can access (Cookies or Physical Storage):

The previous manifest declares that the extension requires the storage permission. This means that it can use to store its data persistently. Unlike cookies or localStorage APIs which give users some level of control, extension storage can normally only be cleared by uninstalling the extension.

An extension will request the permissions indicated in its manifest.json file and After installing the extension, you can always check its permissions in your browser, as shown in this image:

The following host_permissions basically allow every web:

json

"host_permissions": [
  "*://*/*"
]

// Or:
"host_permissions": [
  "http://*/*",
  "https://*/*"
]

// Or:
"host_permissions": [
  "<all_urls>"
]

These are the hosts that the browser extension can access freely. This is because when a browser extension calls fetch("https://gmail.com/") it's not restricted by CORS.

Both APIs allow executing not merely files contained in the extensions as content scripts but also arbitrary code. The former allows passing in JavaScript code as a string while the latter expects a JavaScript function which is less prone to injection vulnerabilities. Still, both APIs will wreak havoc if misused.

In addition to the capabilities above, content scripts could for example intercept credentials as these are entered into web pages. Another classic way to abuse them is injecting advertising on each an every website. Adding scam messages to abuse credibility of news websites is also possible. Finally, they could manipulate banking websites to reroute money transfers.

An extension can create any number of tabs whenever it wants.

You probably know that websites can request special permissions, e.g. in order to access your webcam (video conferencing tools) or geographical location (maps). It’s features with considerable potential for abuse, so users each time have to confirm that they still want this.

Typically, an extension will do so immediately after being installed. Once this prompt is accepted, webcam access is possible at any time, even if the user isn’t interacting with the extension at this point. Yes, a user will only accept this prompt if the extension really needs webcam access. But after that they have to trust the extension not to record anything secretly.

However, advertising companies could also abuse this storage.

The policy of Google's developer explicitly forbids extensions from requesting more privileges than necessary for their functionality, effectively mitigating excessive permission requests. An instance where a browser extension overstepped this boundary involved its distribution with the browser itself rather than through an add-on store.

You can find the and a .

The optional but powerful setting host_permissions indicates with which hosts the extension is going to be able to interact via apis such as , , and .

Moreover, host_permissions also unlock “advanced” functionality. They allow the extension to call and not only get a list of user’s browser tabs back but also learn which web page (meaning address and title) is loaded.

Not only that, listeners like become way more useful as well. These will be notified whenever a new page loads into a tab.

Content scripts aren’t necessarily written statically into the extension manifest. Given sufficient host_permissions, extensions can also load them dynamically by calling or .

Some extension privileges don’t have to be explicitly declared. One example is the : its basic functionality is accessible without any privileges whatsoever. Any extension can be notified when you open and close tabs, it merely won’t know which website these tabs correspond with.

Sounds too harmless? The is somewhat less so. It can be used to create a new tab, essentially the same as which can be called by any website. Yet while window.open() is subject to the pop-up blocker, tabs.create() isn’t.

If you look through possible tabs.create() parameters, you’ll also notice that its capabilities go way beyond what window.open() is allowed to control. And while Firefox doesn’t allow data: URIs to be used with this API, Chrome has no such protection. Use of such URIs on the top level has been .

is very similar to tabs.create() but will modify an existing tab. So a malicious extension can for example arbitrarily load an advertising page into one of your tabs, and it can activate the corresponding tab as well.

Not so with browser extensions. If a browser extension , it only needs to ask for permission once

With access to or , granting permission explicitly is unnecessary altogether. An extension simply adds geolocation or clipboard to the of its manifest. These access privileges are then granted implicitly when the extension is installed. So a malicious or compromised extension with these privileges can create your movement profile or monitor your clipboard for copied passwords without you noticing anything.

Adding the history keyword to the of the extension manifest grants access to the . It allows retrieving the user’s entire browsing history all at once, without waiting for the user to visit these websites again.

The bookmarks permission has similar abuse potential, this one allows reading out all bookmarks via the .

The extension storage is merely a key-value collection, very similar to that any website could use. So no sensitive information should be stored here.

You can find the and a .

Browsers could further curb the misuse of extension privileges. For instance, Chrome's and APIs, used for screen recording, are designed to minimize abuse. The tabCapture API can only be activated through direct user interaction, such as clicking on the extension icon, while desktopCapture requires user confirmation for the window to be recorded, preventing clandestine recording activities.

However, tightening security measures often results in decreased flexibility and user-friendliness of extensions. The illustrates this trade-off. It was introduced to eliminate the need for extensions to request host privileges across the entire internet, allowing extensions to access only the current tab upon explicit activation by the user. This model is effective for extensions requiring user-initiated actions but falls short for those requiring automatic or pre-emptive actions, thereby compromising convenience and immediate responsiveness.

complete list of permissions a Chromium Browser Extension can request here
complete list for Firefox extensions here
host_permissions
cookies
webRequest
tabs
Abusing permissions and host_permissions
Tabs
tabs API
tabs.query()
tabs.onUpdated
Running content scripts
tabs.executeScript()
scripting.executeScript()
Implicit privileges
tabs API
tabs.create() API
window.open()
banned due to being abused for phishing
tabs.update()
Webcam, geolocation and friends
wants access to your webcam or microphone
your exact geographical location
contents of your clipboard
permissions entry
permissions entry
history API
bookmarks API
Storage permission
localStorage
More permissions
complete list of permissions a Chromium Browser Extension can request here
complete list for Firefox extensions here
Prevention
tabCapture
desktopCapture
activeTab permission
References
https://palant.info/2022/08/17/impact-of-extension-privileges/
https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing
Basic Information
permissions
the storage API