This is the source code for my talk on Browse Extension Security which I gave at nullcon 2014.
- Paper: https://arxiv.org/abs/1403.3235
- Presentation: https://speakerdeck.com/captn3m0/a-security-analysis-of-browser-extensions
- Blog Post: https://captnemo.in/blog/2014/03/13/nullcon-experience/
- Source Code: https://github.com/captn3m0/nullcon2014 . What you're looking for is mostly in the webstore directory. An offshoot of the research was silent-extension-installations-in-browsers. Code for that is in the
silent/directory. - Dataset: https://github.com/captn3m0/nullcon2014/releases/tag/1.0 (The SQL file should be importable in MySQL, it contains the "extension-permission" mapping, while the ZIP file contains a dump of all extension manifests.
Note that this is decade old research, and the state of art in both directions has advanced considerably. Browsers are much more resilient against silent installations, by limiting them to enterprise profiles, and permission abuse is now part of the threat model used by extension stores.
Released under the MIT Licence.
- silent/chrome (Source code for silent extension install in Chrome)
- silent/firefox (Source code for silent extension install in Firefox)
- webstore/chrome/ (Code to download extensions from the chrome webstore, and to run a static analysis over them. Results are fed to a mysql database)
- webstore/analysis (code that powers nullcon.captnemo.in)
This code was written a while back, and does not work with the latest versions of either Browser (FF/Chrome), but I belive can be modified and made to work again.
Since a lot of data is missing from the repo (I didn't feel like committing huge files), it is availble under the releases section of this repo. Just click on releases on the top, and you can download manifest files of over 7k extensions, and a dump of the mysql database generated by the last run of the tool.
These release files are also licenced under MIT.
The paper behind the talk can be accessed here, and the presentations are available at speakerdeck. I wrote a blog post about it here.