HackTricks-wiki · carlospolop · Mar 12, 2026
diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/README.md b/src/pentesting-web/browser-extension-pentesting-methodology/README.md
@@ -700,6 +700,40 @@ Stealthy technique to backdoor Chromium by directly editing per-user Preferences
 forced-extension-load-preferences-mac-forgery-windows.md
 {{#endref}}
 
+## Detecting Malicious Extension Updates (Static Version Diffing)
+
+Supply-chain compromises often arrive as **malicious updates** to previously benign extensions. A practical, low-noise approach is to **compare a new extension package against the last known-good version** using static analysis (for example, [Assemblyline](https://github.com/CybercentreCanada/assemblyline)). The goal is to alert on **high-signal deltas** rather than on any change.
+
+### Workflow
+
+- **Submit both versions** (old + new) to the same static-analysis profile.
+- **Flag new or updated background/service worker scripts** (persistence + privileged logic).
+- **Flag new or updated content scripts** (DOM access and data collection).
+- **Flag new permissions/host_permissions** added in `manifest.json`.
+- **Flag new domains** extracted from code (potential C2/exfil endpoints).
+- **Flag new static-analysis detections** (e.g., base64 decode, cookie harvesting, network-request builders, obfuscation patterns).
+- **Flag statistical anomalies** such as sharp entropy jumps or outlier z-scores in changed scripts.
+
+### Detecting script changes accurately
+
+- **New script added** → detect via `manifest.json` diff.
+- **Existing script modified** (manifest unchanged) → compare **per-file hashes** from the extracted file tree (e.g., Assemblyline `Extract` output). This catches stealthy updates to existing workers or content scripts.
+
+### Pre-disclosure detections
+
+To avoid “easy mode” detections based on already-known IOCs, **disable threat-intel-fed services** and rely on intrinsic signals (domains, heuristic signatures, script deltas, entropy anomalies). This increases chances of catching malicious updates **before public reporting**.
+
+### Example high-confidence alert logic
+
+- **Low-noise combo:** new domains + new static-analysis detections + updated background/service worker + updated or added content scripts.
+- **Broader catch:** new domain + new or updated background/service worker (higher recall, higher noise).
+
+Key Assemblyline services for this workflow:
+
+- **Extract**: unpacks the extension and yields per-file hashes.
+- **Characterize**: computes file characteristics (e.g., entropy).
+- **JsJAWS / FrankenStrings / URLCreator**: surface JS heuristics, strings, and domains to diff between versions.
+
 ## Security Audit Checklist
 
 Even though Browser Extensions have a **limited attack surface**, some of them might contain **vulnerabilities** or **potential hardening improvements**. The following ones are the most common ones:
@@ -767,5 +801,6 @@ Project Neto is a Python 3 package conceived to analyse and unravel hidden featu
 - [https://developer.chrome.com/docs/extensions/mv2/background-pages](https://developer.chrome.com/docs/extensions/mv2/background-pages)
 - [https://thehackerblog.com/kicking-the-rims-a-guide-for-securely-writing-and-auditing-chrome-extensions/](https://thehackerblog.com/kicking-the-rims-a-guide-for-securely-writing-and-auditing-chrome-extensions/)
 - [https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0](https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0)
+- [https://redcanary.com/blog/threat-detection/assemblyline-browser-extensions/](https://redcanary.com/blog/threat-detection/assemblyline-browser-extensions/)
 
 {{#include ../../banners/hacktricks-training.md}}