From ff1635420bec77c78ac610f73ab5f3aa183e7b07 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Sun, 8 Dec 2024 22:49:34 +0000
Subject: [PATCH] GITBOOK-4441: No subject

---
 .../README.md                                 | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/pentesting-web/browser-extension-pentesting-methodology/README.md b/pentesting-web/browser-extension-pentesting-methodology/README.md
index a28229a1532..6c5824d0743 100644
--- a/pentesting-web/browser-extension-pentesting-methodology/README.md
+++ b/pentesting-web/browser-extension-pentesting-methodology/README.md
@@ -9,7 +9,7 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
 <summary>Support HackTricks</summary>
 
 * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
 * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>
@@ -17,7 +17,7 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
 
 ## Basic Information
 
-Browser extensions are written in JavaScript and loaded by the browser in the background. It has its [DOM](https://www.w3schools.com/js/js\_htmldom.asp) but can interact with other sites' DOMs. This means that it may compromise other sites' confidentiality, integrity, and availability (CIA).
+Browser extensions are written in JavaScript and loaded by the browser in the background. It has its [DOM](https://www.w3schools.com/js/js_htmldom.asp) but can interact with other sites' DOMs. This means that it may compromise other sites' confidentiality, integrity, and availability (CIA).
 
 ## Main Components
 
@@ -86,7 +86,7 @@ Example:
 
 ### `content_scripts`
 
-Content scripts are **loaded** whenever the user **navigates to a matching page**, in our case any page matching the **`https://example.com/*`** expression and not matching the **`*://*/*/business*`** regex. They execute **like the page’s own scripts** and have arbitrary access to the page’s [Document Object Model (DOM)](https://developer.mozilla.org/en-US/docs/Web/API/Document\_Object\_Model).
+Content scripts are **loaded** whenever the user **navigates to a matching page**, in our case any page matching the **`https://example.com/*`** expression and not matching the **`*://*/*/business*`** regex. They execute **like the page’s own scripts** and have arbitrary access to the page’s [Document Object Model (DOM)](https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model).
 
 ```json
 "content_scripts": [
@@ -125,7 +125,7 @@ chrome.storage.local.get("message", result =>
 A message is sent to the extension pages by the content script when this button is clicked, through the utilization of the [**runtime.sendMessage() API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/sendMessage). This is due to the content script's limitation in direct access to APIs, with `storage` being among the few exceptions. For functionalities beyond these exceptions, messages are sent to extension pages which content scripts can communicate with.
 
 {% hint style="warning" %}
-Depending on the browser, the capabilities of the content script may vary slightly. For Chromium-based browsers, the capabilities list is available in the [Chrome Developers documentation](https://developer.chrome.com/docs/extensions/mv3/content\_scripts/#capabilities), and for Firefox, the [MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content\_scripts#webextension\_apis) serves as the primary source.\
+Depending on the browser, the capabilities of the content script may vary slightly. For Chromium-based browsers, the capabilities list is available in the [Chrome Developers documentation](https://developer.chrome.com/docs/extensions/mv3/content_scripts/#capabilities), and for Firefox, the [MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#webextension_apis) serves as the primary source.\
 It is also noteworthy that content scripts have the ability to communicate with background scripts, enabling them to perform actions and relay responses back.
 {% endhint %}
 
@@ -305,7 +305,7 @@ As browser extensions can be so **privileged**, a malicious one or one being com
 Check how these settings work and how they could get abused in:
 
 {% content-ref url="browext-permissions-and-host_permissions.md" %}
-[browext-permissions-and-host\_permissions.md](browext-permissions-and-host\_permissions.md)
+[browext-permissions-and-host\_permissions.md](browext-permissions-and-host_permissions.md)
 {% endcontent-ref %}
 
 ### `content_security_policy`
@@ -729,14 +729,18 @@ Even though Browser Extensions have a **limited attack surface**, some of them m
 * [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **memory**
 * [ ] **Sensitive information shouldn't be stored** inside the **file system unprotected**
 
+## Browser Extension Risks
+
+* The app [https://crxaminer.tech/](https://crxaminer.tech/) analyzes some data like the permissions browser extension requests to give a risk level of using the browser extension.
+
 ## Tools
 
 ### [**Tarnish**](https://thehackerblog.com/tarnish/)
 
 * Pulls any Chrome extension from a provided Chrome webstore link.
 * [**manifest.json**](https://developer.chrome.com/extensions/manifest) **viewer**: simply displays a JSON-prettified version of the extension’s manifest.
-* **Fingerprint Analysis**: Detection of [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) and automatic generation of Chrome extension fingerprinting JavaScript.
-* **Potential Clickjacking Analysis**: Detection of extension HTML pages with the [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) directive set. These are potentially vulnerable to clickjacking depending on the purpose of the pages.
+* **Fingerprint Analysis**: Detection of [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web_accessible_resources) and automatic generation of Chrome extension fingerprinting JavaScript.
+* **Potential Clickjacking Analysis**: Detection of extension HTML pages with the [web\_accessible\_resources](https://developer.chrome.com/extensions/manifest/web_accessible_resources) directive set. These are potentially vulnerable to clickjacking depending on the purpose of the pages.
 * **Permission Warning(s) viewer**: which shows a list of all the Chrome permission prompt warnings which will be displayed upon a user attempting to install the extension.
 * **Dangerous Function(s)**: shows the location of dangerous functions which could potentially be exploited by an attacker (e.g. functions such as innerHTML, chrome.tabs.executeScript).
 * **Entry Point(s)**: shows where the extension takes in user/external input. This is useful for understanding an extension’s surface area and looking for potential points to send maliciously-crafted data to the extension.
@@ -747,7 +751,7 @@ Even though Browser Extensions have a **limited attack surface**, some of them m
   * The path of the alerted file.
   * The full Chrome extension URI of the alerted file.
   * The type of file it is, such as a Background Page script, Content Script, Browser Action, etc.
-  * If the vulnerable line is in a JavaScript file, the paths of all of the pages where it is included as well as these page’s type, and [web\_accessible\_resource](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) status.
+  * If the vulnerable line is in a JavaScript file, the paths of all of the pages where it is included as well as these page’s type, and [web\_accessible\_resource](https://developer.chrome.com/extensions/manifest/web_accessible_resources) status.
 * **Content Security Policy (CSP) analyzer and bypass checker**: This will point out weaknesses in your extension’s CSP and will also illuminate any potential ways to bypass your CSP due to whitelisted CDNs, etc.
 * **Known Vulnerable Libraries**: This uses [Retire.js](https://retirejs.github.io/retire.js/) to check for any usage of known-vulnerable JavaScript libraries.
 * Download extension and formatted versions.
@@ -782,7 +786,7 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
 <summary>Support HackTricks</summary>
 
 * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
 * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 </details>