Browser Extension Security

Skill Level: Intermediate Prerequisites: JavaScript, browser extension architecture

Extension Architecture

Browser Extension Components:
├── manifest.json (configuration)
├── Background scripts (persistent/service worker)
├── Content scripts (injected into web pages)
├── Popup (UI)
├── Options page (settings)
├── Web accessible resources
└── Native messaging (communication with native apps)

Reconnaissance

Finding Extensions to Test

# Chrome Web Store
https://chrome.google.com/webstore/category/extensions

# Firefox Add-ons
https://addons.mozilla.org/en-US/firefox/extensions/

# Enterprise extension policies
# Windows registry
reg query "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
reg query "HKLM\SOFTWARE\Policies\Mozilla\Firefox\Extensions"

# macOS managed preferences
defaults read com.google.Chrome ExtensionInstallForcelist

Extracting Extensions

Static Analysis

Manifest.json Review

Code Analysis

Common Vulnerabilities

Cross-Site Scripting (XSS)

Insecure External Communication

Message Passing Vulnerabilities

Privilege Escalation via Web Accessible Resources

CORS/CSP Bypass

Storage Vulnerabilities

Dynamic Testing

Extension Debugging

Intercepting Extension Traffic

Testing Message Passing

Content Script Testing

Exploitation Techniques

Clickjacking Extension UI

Native Messaging Exploitation

Extension ID Enumeration

Tools

Checklist

Reporting Vulnerabilities

Related Topics

• XSS - Cross-site scripting

• Code Review - Static analysis

• Chrome DevTools - Browser debugging