Analyzing Chrome Extension Manifests and Detection Techniques
This article examines Chrome extension manifest structures, recent security‑related changes, and presents methods—including script onload/onerror probing and a web‑store spider—to detect and enumerate extensions, supplemented by sample code and data from large‑scale analysis.
The article, authored by YSRC security researchers evi1m0 and neargle, introduces a proof‑of‑concept (PoC) for detecting Chrome extensions by analyzing their manifest files and leveraging script loading behaviors.
It explains that every .crx package contains a manifest.json which defines the extension’s background scripts, content scripts, permissions, and other metadata. An example manifest is shown, illustrating fields such as background , content_scripts , web_accessible_resources , and manifest_version set to 2.
Since Chrome 2.0, the platform enforces Content‑Security‑Policy (CSP) via the content_security_policy key, requires explicit declaration of web_accessible_resources for any resource that a webpage may load, and replaces the deprecated chrome.self API with chrome.extension , thereby improving security.
Detection can be performed by injecting a <script> tag that points to a resource inside the extension (e.g., chrome-extension://<id>/assets/options.html ) and observing onload versus onerror callbacks; a successful load indicates the resource—and thus the extension—exists.
The researchers built a spider that crawls the Chrome Web Store, extracts extension IDs, names, categories, star counts, and user numbers, and downloaded all .crx files for analysis. As of early 2017, they identified 42,658 extensions, of which 12,032 exposed detectable resources, yielding a practical detection success rate of roughly 25‑33%.
Sample JSON entries from the crawl are provided, showing fields like web_accessible_resources , name , stars , id , url , category , and users . The authors then filtered extensions with more than 1,000 users and wrote a ProbeJS script that dynamically creates and removes DOM nodes to test each extension’s resources, as illustrated below:
$.get("ext1000up.json" + "?_=" + new Date().valueOf(), function(ext){ for(let n in ext.data){ var id = ext.data[n].id; var name = ext.data[n].name; var war = ext.data[n].web_accessible_resources; var curl = ext.data[n].url; testing(id, name, war, curl); } $('#loading').remove(); });
The full PoC is available at https://sec.ly.com/poc/ext_probe.html , and an illustrative image is included.
Tongcheng Travel Technology Center
Pursue excellence, start again with Tongcheng! More technical insights to help you along your journey and make development enjoyable.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.