diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/README.md b/src/pentesting-web/browser-extension-pentesting-methodology/README.md index 0705db8b5bc..b27c8d8aa32 100644 --- a/src/pentesting-web/browser-extension-pentesting-methodology/README.md +++ b/src/pentesting-web/browser-extension-pentesting-methodology/README.md @@ -700,6 +700,40 @@ Stealthy technique to backdoor Chromium by directly editing per-user Preferences forced-extension-load-preferences-mac-forgery-windows.md {{#endref}} +## Detecting Malicious Extension Updates (Static Version Diffing) + +Supply-chain compromises often arrive as **malicious updates** to previously benign extensions. A practical, low-noise approach is to **compare a new extension package against the last known-good version** using static analysis (for example, [Assemblyline](https://github.com/CybercentreCanada/assemblyline)). The goal is to alert on **high-signal deltas** rather than on any change. + +### Workflow + +- **Submit both versions** (old + new) to the same static-analysis profile. +- **Flag new or updated background/service worker scripts** (persistence + privileged logic). +- **Flag new or updated content scripts** (DOM access and data collection). +- **Flag new permissions/host_permissions** added in `manifest.json`. +- **Flag new domains** extracted from code (potential C2/exfil endpoints). +- **Flag new static-analysis detections** (e.g., base64 decode, cookie harvesting, network-request builders, obfuscation patterns). +- **Flag statistical anomalies** such as sharp entropy jumps or outlier z-scores in changed scripts. + +### Detecting script changes accurately + +- **New script added** → detect via `manifest.json` diff. +- **Existing script modified** (manifest unchanged) → compare **per-file hashes** from the extracted file tree (e.g., Assemblyline `Extract` output). This catches stealthy updates to existing workers or content scripts. + +### Pre-disclosure detections + +To avoid “easy mode” detections based on already-known IOCs, **disable threat-intel-fed services** and rely on intrinsic signals (domains, heuristic signatures, script deltas, entropy anomalies). This increases chances of catching malicious updates **before public reporting**. + +### Example high-confidence alert logic + +- **Low-noise combo:** new domains + new static-analysis detections + updated background/service worker + updated or added content scripts. +- **Broader catch:** new domain + new or updated background/service worker (higher recall, higher noise). + +Key Assemblyline services for this workflow: + +- **Extract**: unpacks the extension and yields per-file hashes. +- **Characterize**: computes file characteristics (e.g., entropy). +- **JsJAWS / FrankenStrings / URLCreator**: surface JS heuristics, strings, and domains to diff between versions. + ## Security Audit Checklist Even though Browser Extensions have a **limited attack surface**, some of them might contain **vulnerabilities** or **potential hardening improvements**. The following ones are the most common ones: @@ -767,5 +801,6 @@ Project Neto is a Python 3 package conceived to analyse and unravel hidden featu - [https://developer.chrome.com/docs/extensions/mv2/background-pages](https://developer.chrome.com/docs/extensions/mv2/background-pages) - [https://thehackerblog.com/kicking-the-rims-a-guide-for-securely-writing-and-auditing-chrome-extensions/](https://thehackerblog.com/kicking-the-rims-a-guide-for-securely-writing-and-auditing-chrome-extensions/) - [https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0](https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0) +- [https://redcanary.com/blog/threat-detection/assemblyline-browser-extensions/](https://redcanary.com/blog/threat-detection/assemblyline-browser-extensions/) {{#include ../../banners/hacktricks-training.md}}