BrowExt - permissions & host_permissions
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
permissions권한은 확장 프로그램의 manifest.json 파일에서 permissions 속성을 사용하여 정의되며, 브라우저가 접근할 수 있는 거의 모든 것(쿠키 또는 물리적 저장소)에 대한 접근을 허용합니다:
이전 매니페스트는 확장 프로그램이 storage 권한을 요구한다고 선언합니다. 이는 저장소 API를 사용하여 데이터를 지속적으로 저장할 수 있음을 의미합니다. 사용자에게 어느 정도의 제어를 제공하는 쿠키나 localStorage API와 달리, 확장 프로그램 저장소는 일반적으로 확장 프로그램을 제거해야만 지울 수 있습니다.
확장 프로그램은 manifest.json 파일에 표시된 권한을 요청하며, 확장 프로그램을 설치한 후에는 브라우저에서 항상 권한을 확인할 수 있습니다, 아래 이미지와 같이:
Chromium 브라우저 확장이 요청할 수 있는 권한의 전체 목록은 여기에서 확인할 수 있습니다 및 Firefox 확장 프로그램에 대한 전체 목록은 여기에서 확인할 수 있습니다.
host_permissions선택적이지만 강력한 설정인 **host_permissions**는 확장 프로그램이 cookies, webRequest, 및 tabs와 같은 API를 통해 상호작용할 수 있는 호스트를 나타냅니다.
다음 host_permissions는 기본적으로 모든 웹을 허용합니다:
These are the hosts that the browser extension can access freely. This is because when a browser extension calls fetch("https://gmail.com/") it's not restricted by CORS.
permissions and host_permissionsMoreover, host_permissions also unlock “advanced” tabs API 기능. They allow the extension to call tabs.query() and not only get a list of user’s browser tabs back but also learn which web page (meaning address and title) is loaded.
Not only that, listeners like tabs.onUpdated become way more useful as well. These will be notified whenever a new page loads into a tab.
Content scripts aren’t necessarily written statically into the extension manifest. Given sufficient host_permissions, extensions can also load them dynamically by calling tabs.executeScript() or scripting.executeScript().
Both APIs allow executing not merely files contained in the extensions as content scripts but also 임의의 코드. The former allows passing in JavaScript code as a string while the latter expects a JavaScript function which is less prone to injection vulnerabilities. Still, both APIs will wreak havoc if misused.
In addition to the capabilities above, content scripts could for example intercept credentials as these are entered into web pages. Another classic way to abuse them is injecting advertising on each an every website. Adding scam messages to abuse credibility of news websites is also possible. Finally, they could manipulate banking websites to reroute money transfers.
Some extension privileges don’t have to be explicitly declared. One example is the tabs API: its basic functionality is accessible without any privileges whatsoever. Any extension can be notified when you open and close tabs, it merely won’t know which website these tabs correspond with.
Sounds too harmless? The tabs.create() API is somewhat less so. It can be used to create a new tab, essentially the same as window.open() which can be called by any website. Yet while window.open() is subject to the pop-up blocker, tabs.create() isn’t.
An extension can create any number of tabs whenever it wants.
If you look through possible tabs.create() parameters, you’ll also notice that its capabilities go way beyond what window.open() is allowed to control. And while Firefox doesn’t allow data: URIs to be used with this API, Chrome has no such protection. Use of such URIs on the top level has been banned due to being abused for phishing.
tabs.update() is very similar to tabs.create() but will modify an existing tab. So a malicious extension can for example arbitrarily load an advertising page into one of your tabs, and it can activate the corresponding tab as well.
You probably know that websites can request special permissions, e.g. in order to access your webcam (video conferencing tools) or geographical location (maps). It’s features with considerable potential for abuse, so users each time have to confirm that they still want this.
Not so with browser extensions. If a browser extension wants access to your webcam or microphone, it only needs to ask for permission once
Typically, an extension will do so immediately after being installed. Once this prompt is accepted, webcam access is possible at any time, even if the user isn’t interacting with the extension at this point. Yes, a user will only accept this prompt if the extension really needs webcam access. But after that they have to trust the extension not to record anything secretly.
With access to your exact geographical location or contents of your clipboard, granting permission explicitly is unnecessary altogether. An extension simply adds geolocation or clipboard to the permissions entry of its manifest. These access privileges are then granted implicitly when the extension is installed. So a malicious or compromised extension with these privileges can create your movement profile or monitor your clipboard for copied passwords without you noticing anything.
Adding the history keyword to the permissions entry of the extension manifest grants access to the history API. It allows retrieving the user’s entire browsing history all at once, without waiting for the user to visit these websites again.
The bookmarks permission has similar abuse potential, this one allows reading out all bookmarks via the bookmarks API.
The extension storage is merely a key-value collection, very similar to localStorage that any website could use. So no sensitive information should be stored here.
However, advertising companies could also abuse this storage.
You can find the complete list of permissions a Chromium Browser Extension can request here and a complete list for Firefox extensions here.
The policy of Google's developer explicitly forbids extensions from requesting more privileges than necessary for their functionality, effectively mitigating excessive permission requests. An instance where a browser extension overstepped this boundary involved its distribution with the browser itself rather than through an add-on store.
Browsers could further curb the misuse of extension privileges. For instance, Chrome's tabCapture and desktopCapture APIs, used for screen recording, are designed to minimize abuse. The tabCapture API can only be activated through direct user interaction, such as clicking on the extension icon, while desktopCapture requires user confirmation for the window to be recorded, preventing clandestine recording activities.
However, tightening security measures often results in decreased flexibility and user-friendliness of extensions. The activeTab permission illustrates this trade-off. It was introduced to eliminate the need for extensions to request host privileges across the entire internet, allowing extensions to access only the current tab upon explicit activation by the user. This model is effective for extensions requiring user-initiated actions but falls short for those requiring automatic or pre-emptive actions, thereby compromising convenience and immediate responsiveness.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
