// Listen for messages from the web page window.addEventListener( “message”, (event) => { // Only accept messages from the same window if (event.source !== window) { return }

// Check if the message type is “FROM_PAGE” if (event.data.type && event.data.type === “FROM_PAGE”) { console.log(“Content script received: “ + event.data.text) // Forward the message to the background script port.postMessage({ type: “FROM_PAGE”, text: event.data.text }) } }, false )

// Listen for messages from the background script port.onMessage.addListener(function (msg) { console.log(“Content script received message from background script:”, msg) // Handle the response message from the background script })

</details>

Pia inawezekana kutuma ujumbe kutoka background script kwenda content script iliyoko kwenye kichupo fulani kwa kutumia **`chrome.tabs.sendMessage`**, ambapo utahitaji kuonyesha **ID ya kichupo** utakayotumia kutuma ujumbe.

### Kutoka kwa `externally_connectable` zilizoruhusiwa kwenda kwenye extension

**Web apps na extension za browser za nje zilizoruhusiwa** katika usanidi wa `externally_connectable` zinaweza kutuma maombi kwa kutumia :
```javascript
chrome.runtime.sendMessage(extensionId, ...

Wakati inahitajika kutaja extension ID.

Native Messaging

Inawezekana kwa background scripts kuwasiliana na binaries ndani ya mfumo, ambazo zinaweza kuwa nyeti kwa udhaifu hatari kama RCEs ikiwa mawasiliano haya hayatahakikiwa ipasavyo. More on this later.

chrome.runtime.sendNativeMessage(
"com.my_company.my_application",
{ text: "Hello" },
function (response) {
console.log("Received " + response)
}
)

Web ↔︎ Content Script Communication

Mazingira ambayo content scripts hufanya kazi na yale ambapo kurasa za mwenyeji zinapatikana yamegawanywa kati yao, kuhakikisha isolation. Licha ya isolation hii, pande zote mbili zina uwezo wa kuingiliana na ukurasa wa Document Object Model (DOM), rasilimali inayoshirikiwa. Ili ukurasa wa mwenyeji uweze kuwasiliana na content script, au kwa njia isiyo ya moja kwa moja na extension kupitia content script, inahitajika kutumia DOM inayopatikana kwa pande zote kama njia ya mawasiliano.

Post Messages

// This is like "chrome.runtime.sendMessage" but to maintain the connection
var port = chrome.runtime.connect()

window.addEventListener(
"message",
(event) => {
// We only accept messages from ourselves
if (event.source !== window) {
return
}

if (event.data.type && event.data.type === "FROM_PAGE") {
console.log("Content script received: " + event.data.text)
// Forward the message to the background script
port.postMessage(event.data.text)
}
},
false
)

document.getElementById("theButton").addEventListener(
"click",
() => {
window.postMessage(
{ type: "FROM_PAGE", text: "Hello from the webpage!" },
"*"
)
},
false
)

Mawasiliano salama ya Post Message yanapaswa kuthibitisha uhalali wa ujumbe uliopokelewa; hili linaweza kufanywa kwa kukagua:

• event.isTrusted: Hii ni True tu ikiwa event ilisababishwa na kitendo cha mtumiaji
• The content script inaweza kutarajia ujumbe tu ikiwa mtumiaji atafanya kitendo fulani
• origin domain: inaweza kutarajia ujumbe tu kutoka kwenye orodha ya allowlist ya domains.
• Ikiwa regex inatumiwa, kuwa mwangalifu sana
• Source: received_message.source !== window inaweza kutumika kuthibitisha kama ujumbe ulikuwa kutoka kwenye dirisha hiyo hiyo ambapo Content Script inasikiliza.

Ukaguzi uliotajwa hapo juu, hata ukifanywa, unaweza kuwa dhaifu; angalia ukurasa ufuatao kuhusu potential Post Message bypasses:

PostMessage Vulnerabilities

Iframe

Njia nyingine inayowezekana ya mawasiliano inaweza kuwa kupitia Iframe URLs, unaweza kupata mfano katika:

BrowExt - XSS Example

DOM

Hii si “kabla si” njia ya mawasiliano kabisa, lakini web na the content script wata kuwa na ufikiaji kwa web DOM. Kwa hivyo, ikiwa content script inasoma baadhi ya taarifa kutoka kwake, ikimwamini web DOM, web inaweza modify this data (kwa sababu web haipaswi kuaminiwa, au kwa sababu web ina udhaifu wa XSS) na kuathiri Content Script.

Unaweza pia kupata mfano wa DOM based XSS to compromise a browser extension katika:

BrowExt - XSS Example

Content Script ↔︎ Background Script Communication

Content Script inaweza kutumia functions runtime.sendMessage() or tabs.sendMessage() kutuma one-time JSON-serializable message.

Kushughulikia response, tumia Promise iliyorejeshwa. Hata hivyo, kwa ajili ya backward compatibility, bado unaweza kuingiza callback kama argument ya mwisho.

Kutuma ombi kutoka kwa content script inaonekana kama ifuatavyo:

;(async () => {
const response = await chrome.runtime.sendMessage({ greeting: "hello" })
// do something with response here, not outside the function
console.log(response)
})()

Kutuma ombi kutoka kwa extension (kwa kawaida background script). Mfano wa jinsi ya kutuma ujumbe kwa content script kwenye tab iliyochaguliwa:

// From https://stackoverflow.com/questions/36153999/how-to-send-a-message-between-chrome-extension-popup-and-content-script
;(async () => {
const [tab] = await chrome.tabs.query({
active: true,
lastFocusedWindow: true,
})
const response = await chrome.tabs.sendMessage(tab.id, { greeting: "hello" })
// do something with response here, not outside the function
console.log(response)
})()

Kwenye upande wa kupokea, unahitaji kuanzisha runtime.onMessage event listener ili kushughulikia ujumbe. Hii inaonekana sawa kutoka kwa content script au extension page.

// From https://stackoverflow.com/questions/70406787/javascript-send-message-from-content-js-to-background-js
chrome.runtime.onMessage.addListener(function (request, sender, sendResponse) {
console.log(
sender.tab
? "from a content script:" + sender.tab.url
: "from the extension"
)
if (request.greeting === "hello") sendResponse({ farewell: "goodbye" })
})

Katika mfano uliotajwa, sendResponse() ilitekelezwa kwa njia ya synchronous. Ili kubadilisha event handler ya onMessage kwa ajili ya utekelezaji asynchronous wa sendResponse(), ni muhimu kujumuisha return true;.

Jambo muhimu la kuzingatia ni kwamba katika matukio ambapo kurasa nyingi zimewekwa kupokea matukio ya onMessage, ukurasa wa kwanza kutekeleza sendResponse() kwa tukio maalum ndio pekee utaweza kutoa jibu kwa ufanisi. Majibu yoyote yanayofuata kwa tukio hilo hayatapewa kipaumbele.

Unapotengeneza extensions mpya, inapendekezwa kutumia promises badala ya callbacks. Kuhusu matumizi ya callbacks, function ya sendResponse() inachukuliwa kuwa halali tu ikiwa inatekelezwa moja kwa moja ndani ya muktadha synchronous, au ikiwa event handler inaonyesha operesheni asynchronous kwa kurudisha true. Iwapo hakuna handler atakayerejesha true au ikiwa sendResponse() itaondolewa kwenye kumbukumbu (garbage-collected), callback inayohusishwa na function ya sendMessage() itaitwa kwa chaguo-msingi.

Native Messaging

Browser extensions pia zinaruhusu kuwasiliana na binaries in the system via stdin. Programu lazima isakinishe json inayosema hivyo, kwa json kama:

{
"name": "com.my_company.my_application",
"description": "My Application",
"path": "C:\\Program Files\\My Application\\chrome_native_messaging_host.exe",
"type": "stdio",
"allowed_origins": ["chrome-extension://knldjmfmopnpolahpmmgbagdohdnhkik/"]
}

Ambapo name ni string inayopitishwa kwa runtime.connectNative() au runtime.sendNativeMessage() ili kuwasiliana na application kutoka kwa background scripts za browser extension. path ni path ya binary, kuna type moja tu halali ambayo ni stdio (tumia stdin na stdout) na allowed_origins inaonyesha extensions zinazoweza kuifikia (na haiwezi kuwa na wildcard).

Chrome/Chromium itatafuta json hii katika windows registry na kwenye baadhi ya paths za macOS na Linux (maelezo zaidi katika docs).

Tip

Browser extension pia inahitaji ruhusa ya nativeMessaing iliyotangazwa ili iweze kutumia mawasiliano haya.

Hivi ndivyo inavyoonekana code ya background script ikituma messages kwa native application:

chrome.runtime.sendNativeMessage(
"com.my_company.my_application",
{ text: "Hello" },
function (response) {
console.log("Received " + response)
}
)

In this blog post, muundo hatari unaotumia native messages umependekezwa:

1. Extension ya Kivinjari ina wildcard pattern kwa content script.
2. Content script inapitisha ujumbe za postMessage kwa background script kwa kutumia sendMessage.
3. Background script inapitisha ujumbe kwa native application kwa kutumia sendNativeMessage.
4. Native application inashughulikia ujumbe kwa njia hatari, na kusababisha code execution.

Ndani yake kuna mfano unaoelezea jinsi ya kwenda kutoka ukurasa wowote hadi RCE kwa kutumia extension ya kivinjari.

Sensitive Information in Memory/Code/Clipboard

Ikiwa Extension ya Kivinjari inahifadhi taarifa nyeti ndani it’s memory, inaweza kunyanyuzwa (dumped) (hasa kwenye mashine za Windows) na kutafutwa kwa taarifa hizi.

Kwa hivyo, memory ya Extension ya Kivinjari haipaswi kuchukuliwa kuwa salama na taarifa nyeti kama credentials au misemo ya mnemonic haipaswi kuhifadhiwa.

Bila shaka, usiweke taarifa nyeti katika code, kwani zitakuwa public.

Ili dump memory kutoka browser unaweza dump the process memory au kwenda kwenye settings ya extension ya kivinjari bonyeza Inspect pop-up -> Katika sehemu ya Memory -> Take a snaphost na CTRL+F kutafuta ndani ya snapshot kwa taarifa nyeti.

Zaidi ya hayo, taarifa zilizokuwa hatari sana kama mnemonic keys au passwords hazipaswi kuruhusiwa kukopiwa kwenye clipboard (au angalau zifutwe kutoka clipboard ndani ya sekunde chache) kwa sababu kisha michakato inayofuatilia clipboard itaweza kuzipata.

Loading an Extension in the Browser

1. Pakua Extension ya Kivinjari na ui-fungue (unzip)
2. Nenda kwenye chrome://extensions/ na wezesha the Developer Mode
3. Bonyeza kitufe cha Load unpacked

Kwenye Firefox nenda kwenye about:debugging#/runtime/this-firefox na bonyeza kitufe cha Load Temporary Add-on.

Getting the source code from the store

Msimbo wa chanzo wa extension ya Chrome unaweza kupatikana kwa njia mbalimbali. Hapa chini kuna maelezo ya kina na maagizo kwa kila chaguo.

Download Extension as ZIP via Command Line

Msimbo wa chanzo wa extension ya Chrome unaweza kupakuliwa kama faili la ZIP kwa kutumia command line. Hii inajumuisha kutumia curl kudownload faili la ZIP kutoka kwenye URL maalum kisha kutoa yaliyomo ya ZIP kwenye saraka. Hapa kuna hatua:

1. Badilisha "extension_id" na ID halisi ya extension.
2. Tekeleza amri zifuatazo:

extension_id=your_extension_id   # Replace with the actual extension ID
curl -L -o "$extension_id.zip" "https://clients2.google.com/service/update2/crx?response=redirect&os=mac&arch=x86-64&nacl_arch=x86-64&prod=chromecrx&prodchannel=stable&prodversion=44.0.2403.130&x=id%3D$extension_id%26uc"
unzip -d "$extension_id-source" "$extension_id.zip"

Tumia tovuti ya CRX Viewer

https://robwu.nl/crxviewer/

Tumia extension ya CRX Viewer

Njia nyingine rahisi ni kutumia Chrome Extension Source Viewer, ambayo ni mradi wa open-source. Inaweza kusakinishwa kutoka kwa Chrome Web Store. Msimbo wa chanzo wa viewer upo katika GitHub repository.

Tazama msimbo wa extension iliyosakinishwa kwa eneo la ndani

Chrome extensions zilizowekwa mahali pa kompyuta pia zinaweza kuchunguzwa. Hivi ndivyo:

1. Fikia saraka ya profile ya Chrome kwa kutembelea chrome://version/ na kubaini shamba la “Profile Path”.
2. Nenda kwenye saraka ndogo ya Extensions/ ndani ya saraka ya profile.
3. Folda hii ina extensions zote zilizosakinishwa, kwa kawaida zikiwa na msimbo wao wa chanzo katika muundo unaosomeka.

Ili kutambua extensions, unaweza kupangia IDs zao kwa majina:

• Washa Developer Mode kwenye ukurasa wa about:extensions ili kuona IDs za kila extension.
• Ndani ya kila folda ya extension, faili ya manifest.json ina shamba la name linaloweza kusomwa, likikusaidia kutambua extension.

Tumia File Archiver au Unpacker

Nenda kwenye Chrome Web Store na pakua extension. Faili itakuwa na nyongeza .crx. Badilisha nyongeza ya faili kutoka .crx kuwa .zip. Tumia programu yoyote ya archive (kama WinRAR, 7-Zip, n.k.) kutoa yaliyomo ya faili la ZIP.

Tumia Developer Mode katika Chrome

Fungua Chrome na nenda chrome://extensions/. Washa “Developer mode” juu kulia. Bonyeza “Load unpacked extension…”. Elekeza kwenye saraka ya extension yako. Hii haitapakua msimbo wa chanzo, lakini ni muhimu kwa kuangalia na kuhariri msimbo wa extension ambayo tayari imepakuliwa au imeandaliwa.

Chrome extension manifest dataset

Ili kujaribu kubaini browser extensions zilizo hatarini unaweza kutumia thehttps://github.com/palant/chrome-extension-manifests-dataset na kukagua faili zao za manifest kwa dalili zinazoweza kuonyesha udhaifu. Kwa mfano ili kuangalia extensions zenye zaidi ya watumiaji 25000, content_scripts na ruhusa nativeMessaing:

# Query example from https://spaceraccoon.dev/universal-code-execution-browser-extensions/
node query.js -f "metadata.user_count > 250000" "manifest.content_scripts?.length > 0 && manifest.permissions?.includes('nativeMessaging')"

Post-exploitation: Forced extension load & persistence (Windows)

Mbinu ya kujificha ya ku-backdoor Chromium kwa kuhariri moja kwa moja per-user Preferences na kutunga HMACs halali, ambayo husababisha browser kukubali na kuanzisha arbitrary unpacked extension bila prompts au flags.

Forced Extension Load Preferences Mac Forgery Windows

Detecting Malicious Extension Updates (Static Version Diffing)

Udukuzi wa supply-chain mara nyingi huja kama malicious updates kwa extensions ambazo awali zilikuwa benign. Njia ya vitendo yenye kelele ndogo ni kulinganisha kifurushi kipya cha extension dhidi ya toleo la mwisho linalojulikana kuwa sahihi kwa kutumia static analysis (kwa mfano, Assemblyline). Lengo ni kutoa tahadhari juu ya high-signal deltas badala ya kila mabadiliko.

Workflow

• Submit both versions (old + new) to the same static-analysis profile.
• Flag new or updated background/service worker scripts (persistence + privileged logic).
• Flag new or updated content scripts (DOM access and data collection).
• Flag new permissions/host_permissions added in manifest.json.
• Flag new domains extracted from code (potential C2/exfil endpoints).
• Flag new static-analysis detections (e.g., base64 decode, cookie harvesting, network-request builders, obfuscation patterns).
• Flag statistical anomalies such as sharp entropy jumps or outlier z-scores in changed scripts.

Detecting script changes accurately

• New script added → detect via manifest.json diff.
• Existing script modified (manifest unchanged) → compare per-file hashes from the extracted file tree (e.g., Assemblyline Extract output). This catches stealthy updates to existing workers or content scripts.

Pre-disclosure detections

To avoid “easy mode” detections based on already-known IOCs, disable threat-intel-fed services and rely on intrinsic signals (domains, heuristic signatures, script deltas, entropy anomalies). This increases chances of catching malicious updates before public reporting.

Example high-confidence alert logic

• Low-noise combo: new domains + new static-analysis detections + updated background/service worker + updated or added content scripts.
• Broader catch: new domain + new or updated background/service worker (higher recall, higher noise).

Key Assemblyline services for this workflow:

• Extract: unpacks the extension and yields per-file hashes.
• Characterize: computes file characteristics (e.g., entropy).
• JsJAWS / FrankenStrings / URLCreator: surface JS heuristics, strings, and domains to diff between versions.

Security Audit Checklist

Ingawa Browser Extensions zina limited attack surface, baadhi yao yanaweza kuwa na vulnerabilities au maboresho ya hardening. Zifuatazo ndizo za kawaida:

• Punguza kadri inavyowezekana ombi la permissions
• Punguza kadri inavyowezekana host_permissions
• Tumia strong content_security_policy
• Punguza kadri inavyowezekana externally_connectable; kama hakuna hitaji, usiweke by default — taja {}
• Ikiwa URL vulnerable to XSS or to takeover imetajwa hapa, mshambuliaji ataweza send messages to the background scripts directly. Bypass yenye nguvu sana.
• Punguza kadri inavyowezekana web_accessible_resources, hata empty kama inawezekana.
• Ikiwa web_accessible_resources si none, angalia kwa ajili ya ClickJacking
• Ikiwa mawasiliano yoyote yanafanyika kutoka kwa extension hadi kwa web page, check for XSS vulnerabilities zinazoweza kusababishwa katika mawasiliano hayo.
• Ikiwa Post Messages zinatumika, angalia kwa ajili ya Post Message vulnerabilities.
• Ikiwa Content Script access DOM details, hakikisha hazileti XSS watakapohaririwa na tovuti
• Toa umuhimu maalum kama mawasiliano haya pia yanahusisha Content Script -> Background script communication
• Ikiwa background script inawasiliana kupitia native messaging hakikisha mawasiliano ni salama na imefanywa sanitize
• Sensitive information shouldn’t be stored ndani ya code ya Browser Extension
• Sensitive information shouldn’t be stored ndani ya memory ya Browser Extension
• Sensitive information shouldn’t be stored ndani ya file system bila ulinzi

Browser Extension Risks

• The app https://crxaminer.tech/ analyzes some data like the permissions browser extension requests to give a risk level of using the browser extension.

Tools

Tarnish

• Pulls any Chrome extension from a provided Chrome webstore link.
• manifest.json viewer: simply displays a JSON-prettified version of the extension’s manifest.
• Fingerprint Analysis: Detection of web_accessible_resources and automatic generation of Chrome extension fingerprinting JavaScript.
• Potential Clickjacking Analysis: Detection of extension HTML pages with the web_accessible_resources directive set. These are potentially vulnerable to clickjacking depending on the purpose of the pages.
• Permission Warning(s) viewer: which shows a list of all the Chrome permission prompt warnings which will be displayed upon a user attempting to install the extension.
• Dangerous Function(s): shows the location of dangerous functions which could potentially be exploited by an attacker (e.g. functions such as innerHTML, chrome.tabs.executeScript).
• Entry Point(s): shows where the extension takes in user/external input. This is useful for understanding an extension’s surface area and looking for potential points to send maliciously-crafted data to the extension.
• Both the Dangerous Function(s) and Entry Point(s) scanners have the following for their generated alerts:
• Relevant code snippet and line that caused the alert.
• Description of the issue.
• A “View File” button to view the full source file containing the code.
• The path of the alerted file.
• The full Chrome extension URI of the alerted file.
• The type of file it is, such as a Background Page script, Content Script, Browser Action, etc.
• If the vulnerable line is in a JavaScript file, the paths of all of the pages where it is included as well as these page’s type, and web_accessible_resource status.
• Content Security Policy (CSP) analyzer and bypass checker: This will point out weaknesses in your extension’s CSP and will also illuminate any potential ways to bypass your CSP due to whitelisted CDNs, etc.
• Known Vulnerable Libraries: This uses Retire.js to check for any usage of known-vulnerable JavaScript libraries.
• Download extension and formatted versions.
• Download the original extension.
• Download a beautified version of the extension (auto prettified HTML and JavaScript).
• Automatic caching of scan results, running an extension scan will take a good amount of time the first time you run it. However the second time, assuming the extension hasn’t been updated, will be almost instant due to the results being cached.
• Linkable Report URLs, easily link someone else to an extension report generated by tarnish.

Neto

Project Neto ni Python 3 package iliyoundwa kuchambua na kufichua vipengele vilivyofichwa vya browser plugins na extensions kwa browsers maarufu kama Firefox na Chrome. Inabadilisha mchakato wa ku-unzip packaged files ili kutoa vipengele hivi kutoka kwa resources muhimu ndani ya extension kama manifest.json, localization folders au JavaScript na HTML source files.

References

• Thanks to @naivenom for the help with this methodology
• https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing
• https://palant.info/2022/08/10/anatomy-of-a-basic-extension/
• https://palant.info/2022/08/24/attack-surface-of-extension-pages/
• https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/
• https://help.passbolt.com/assets/files/PBL-02-report.pdf
• https://developer.chrome.com/docs/extensions/develop/concepts/content-scripts
• https://developer.chrome.com/docs/extensions/mv2/background-pages
• https://thehackerblog.com/kicking-the-rims-a-guide-for-securely-writing-and-auditing-chrome-extensions/
• https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0
• https://redcanary.com/blog/threat-detection/assemblyline-browser-extensions/

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.