Learn effective techniques for conducting Chrome extension code reviews in this 18-minute conference talk. Explore the security implications of Chrome extensions' broad access to user data, including cookies, tokens, and browsing history. Discover tools and methods for identifying potential vulnerabilities, starting with the manifest.json file and its permissions. Examine three common insecure coding practices in extensions and their associated security risks. Gain insights into Chrome API scopes, particularly chrome.webRequest and chrome.cookies, and understand their significance for bug bounty hunters. Presented by Breanne Boland, an application security engineer at Salesforce, this talk provides valuable knowledge for both security professionals and developers working with Chrome extensions.
Overview
Syllabus
Intro
Chrome extension reviews and my job/context
Why code review? Because market share.
Why code review? Because devs.
Why code review? Because... code.
How to do extension code review: the tl;dr version
Where's the risk?
What the bug hunter should know about this
Chrome.webRequest
Chrome.cookies
Javascript, large and small
Taught by
Bugcrowd
