Chrome Extension for Web Hackers


Two useful links for those who are learning/auditing Chrome Extensions by Mark Wubben.


There are multiple points presented in these links are interesting in my point of view.

Content Scripts
    One of the things a Chrome Extension can do is to run scripts on the (permitted)pages you visit. “Chrome” domain is an privileged domain.You can specify multiple content scripts per extension.


        A content scripts needs to match a page. This is done through match patterns. Keep in mind that the user is warned about the sites you might match. The more restrictive your match pattern, the better. In the recent Blackhat conference researchers shown the possible attack vectors due to over privileged apps.



    Chrome has learned from the security problems that existed with Greasemonkey, and even with Firefox add-ons as a whole. Each extension lives in a so-called “isolated world”, meaning it’s isolated from other extensions save for a few tightly controlled communication bridges.

Content scripts run in separate contexts.
        For example, the JavaScript inside your content scripts is evaluated in a separate context from the page JavaScript. This means your code won’t affect the page code, and vice versa. You can’t directly call page code, and it can’t directly call your code.

Shared DOM
        Luckily the page document is shared between the various content scripts that might be running on it. That way, you can change it!
        Communicating with page JavaScript
            But with these isolated worlds, how can your content scripts talk to the page JavaScript? Well, you’ve got access to the DOM, so you can insert your own JavaScript into the page! And, you can use DOM events so the inserted JavaScript can talk back to you.
                document.documentElement.addEventListener("SWDCNotify",function(){ alert("Notified!"); },false);
                var s = document.createElement("script");
                s.textContent = ‘function notifyContentScript(){\
                                    var evt = document.createEvent("Event");\
                                    evt.initEvent("SWDCNotify", false, false);\

        This sets up a content script that insert the `notifyContentScript` method into the page. When this method is called, a custom DOM event is dispatched on the document element, which is used to notify the content script. While you can’t send data along with the event, you can store it in the DOM. The content script can then look it up.

Content scripts are limited.
        Content scripts are fairly limited though. They exist only as long as the page they run on exists. They don’t have access to any permanent storage, so you can’t configure them. Nor can they talk to other websites, so you can’t look up anything through an API.Chrome forces the extension developer to request permission for almost anything. When the user installs your extension he’s made aware of what you’re extension will have permission to, therefore making it harder for nefarious Extension developers to sneak bad stuff into their extensions without the users knowing about it.

This entry was posted in Chrome, Cr-48 and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s