Explore offensive browser extension development techniques in this 51-minute conference talk from Derbycon 2018. Delve into the WebExtension API, understanding its significance and potential for abuse. Learn about malicious extensions in the wild, basic extension structure, and permissions. Discover methods for hiding malicious behavior, including code obfuscation techniques. Examine extension command and control, cloning extensions, and the process of submitting to web stores. Analyze Google Web Store and Mozilla Add-ons Store submission processes. Investigate Chrome inline installations, social engineering tactics, and installation pretexts. Gain insights into Chrome external installs, secure preferences, and post-exploitation Chrome apps. Explore native messaging capabilities and access a comprehensive code dump for practical implementation.
Overview
Syllabus
Intro
The WebExtension API
Why does this matter?
Malicious extensions in the wild
More room for abuse
Basic Extension Structure
Permissions
Abuse Hanlon's razor
Hiding malicious behavior
Example pretext
Hiding evall
Example code is your friend
Extension Command & Control
Cloning Extensions
Submitting to a Web Store
Google Web Store Submissions
Google Web Store Analysis
Mozilla Add-ons Store
Mozilla Add-ons Analysis
Chrome Inline Installations
Social engineering
Installation pretext 1
Chrome External Installs
Chrome SecurePreferences
Post Exploitation Chrome Apps
Native Messaging
Code Dump
