Friday 1 July 2011

Sparse Bruteforce Addon Detection

This post demonstrates a technique for discovering which browser addons/extensions people who visit your website have installed. This could be used for fingerprinting, compatibility purposes or pre-exploit reconnaissance.

Chrome demo (Detects top 1000 extensions)
Backing script

Firefox demo(Detects ~10% of top 1000 addons)
Backing script

Both demos use the well known technique of:
<img/script src='chrome://[imageFromAddon]' onload='addonExists=true' onerror='addonExists=false'>


The Firefox demo was generated using a python script that inspects the chrome.manifest of each addon for 'contentaccessible=yes', then loads the addon's install.rdf and extracts the chrome:// URI of the addon's icon. The Chrome script is extremely simple; it merely detects the manifest.json that all Chrome extensions have. Both scripts can also be used to generate detection code for addons by search keyword.

Update: For a technical explanation & more elegant implementation see http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html

Update #2: Firefox addons can also be detected without javascript; see http://kuza55.blogspot.co.uk/2007/10/detecting-firefox-extension-without.html
The poc on that page longer works, here's one that does: http://albinowax.users.sourceforge.net/scriptlessAddonDetect.html

No comments:

Post a Comment