TutorialsBrowser extension scanning

Tutorial: Browser extension security scanning

Statically analyze a browser extension package. Pencheff strips the CRX header, unpacks the ZIP, and scores the manifest, scripts, and resources — the analysis CRXcavator pioneered, extended with modern exfiltration and obfuscation checks.

Scenario

  • Artifact. acme-extension.crx (Chrome/Edge) or .xpi (Firefox), or a zipped unpacked extension, hosted at a URL you control.
  • Goal. A risk profile — over-broad permissions, weak CSP, remote-code loading, DOM injection sinks, and embedded secrets.

Inputs you need

ItemWhere it goes
Artifact URL (.crx / .xpi / .zip)Artifact URL field
SHA-256 of the fileSHA-256 field — integrity gate
shasum -a 256 acme-extension.crx

Time budget

PhaseWall time
Fetch + verify + unpack< 1 min
Manifest + code + secrets analysis< 1 min
Total~1–2 min

Steps

1. Register the target

app.pencheff.comRegister targetMobile & Client SecurityBrowser Extension:

  • NameAcme extension — v3.2
  • Artifact URLhttps://builds.acme.com/acme-extension.crx
  • SHA-256 — the digest from above

2. Run the scan

Commission scan. Pencheff verifies the download, strips the CRX Cr24 header (CRX2/CRX3) to recover the ZIP, and analyzes:

  • manifest.json — permission risk (debugger, cookies, <all_urls>, proxy = critical; tabs, nativeMessaging, management = sensitive), broad host_permissions, weak content_security_policy (unsafe-eval/unsafe-inline), broad externally_connectable, content-script injection surface, and MV2 deprecation.
  • bundled JS/HTML — DOM sinks (eval, new Function, .innerHTML, document.write), remote-code loading (importScripts/remote <script src> — banned under MV3), and external message handlers.
  • secrets — hardcoded keys/tokens across the bundle.

The extension is never loaded in a browser.

3. Read the findings

Findings are tagged extension_misconfig and extension_secrets, each with severity, CWE, the manifest key or script file, and remediation.

Manifest V2 packages are flagged as a deprecated, weaker security model. Remote-code loading is the highest-severity pattern — it’s the classic supply-chain vector (e.g. the Cyberhaven incident) and is banned under Manifest V3.

Deliverable

An extension risk register exportable to DOCX/JSON/CSV — useful for allow/deny decisions on third-party extensions in a managed fleet.

Next