In browser extensions, the impact of a vulnerability highly depend on the context and the requested permissions. Static tools (JSHint, AMO validator) to check code exist, but none of them are 100% reliable, especially for obfuscated code.
So, I'm not going to show a magic regular expression which tells you whether some code is vulnerable or not, but give a brief overview on how extensions work, and a small list of potential extension-specific issues.
Existing tools
Mozilla's static code analysis tool, used on addons.mozilla.org is publicly available as AMO Validator. This tool works for all Jetpack-based add-ons. First, it identifies (by hash) and excludes all whitelisted JS libraries. Then, it runs these test cases on the remaining content of the XPI archive.
None of the other vendors have published such a tool. Fortunately, extensions (not plug-ins) for Chrome / Safari / Opera cannot get as much privileges as Firefox add-ons.
Extracting
Firefox (xpi) and Opera (oex) add-ons are zip files with a different extension.
Chrome (crx) extensions are zip files with a preceding CRX header.
Safari (safariextz) extensions are signed xar archives.
7-zip is capable of extracting all of these archives.
Permissions
Chrome, Safari and Opera require the extension developer to declare permissions to access certain origins or features. These declarations can be found at:
Origin access cannot be configured in Firefox add-ons.
Content scripts / Injected scripts
All extension environments support execution of code on pages which match a pre-defined URL pattern. These are called Content scripts in Chrome / Firefox, and Injected scripts in Opera / Safari. These scripts have direct access to the page's DOM, but no direct access to the page's JavaScript variables, because the execution contexts differ.
Background pages
These pages are the most privileged part of an extension.
Vulnerabilities
I'm not going to mention obvious mistakes such as using setTimeout
with strings (these are already mentioned in bobince's answer), or far-fetched methods which are unlikely to be accidental, such as an extension which grabs credentials from a page and sends it to a rogue web service.
Using .innerHTML
or jQuery to parse external HTML (see this question on Stack Overflow):
// Example 1:
var heading = $(xhr.responseText).find('h1').text();
// Example 2:
document.body.innerHTML += '';
// For: <img src="bogus" onerror="do_something_evil_with_privileges()">
Use of the window.onmessage
event without validating the data or checking event.origin
. In the following example, any third-party can use window.open
and postMessage
to send a message to Gmail, and abuse the unintentionally leaked features:
// Content script running on https://mail.google.com/mail/
addEventListener('message', function(event) {
if (event.data.type === 'send-mail') doSomething();
// or:
notifyBackgroundPage(event.data);
});
Loading external (JS) code (worse: loading external code over http). If the external source is compromised, all users will be susceptible to abuse.
Use of cross-browser extension frameworks such as Crossrider and Kango. These are convenient to developers, but the generated extensions request an unnecessary number of permissions.
Not sufficiently restricting the influence of an extension API. An extreme example: Removing the httpOnly
cookie flag for all sites, instead of just the relevant site. This also includes running content scripts on too many pages.
Privacy issues:
- Use of services like Google Analytics (search for
_gaq.push
)
- Loading external assets, such as social media buttons.
Most of the regular vectors are also relevant for extensions. Use the cheatsheets on https://www.owasp.org/ or take a look at http://html5sec.org/.