Friday, 1 July 2011

Sparse Bruteforce Addon Detection

This post demonstrates a technique for discovering which browser addons/extensions people who visit your website have installed. This could be used for fingerprinting, compatibility purposes or pre-exploit reconnaissance.

Chrome demo (Detects top 1000 extensions)
Backing script

Firefox demo(Detects ~10% of top 1000 addons)
Backing script

Both demos use the well known technique of:
<img/script src='chrome://[imageFromAddon]' onload='addonExists=true' onerror='addonExists=false'>

The Firefox demo was generated using a python script that inspects the chrome.manifest of each addon for 'contentaccessible=yes', then loads the addon's install.rdf and extracts the chrome:// URI of the addon's icon. The Chrome script is extremely simple; it merely detects the manifest.json that all Chrome extensions have. Both scripts can also be used to generate detection code for addons by search keyword.

Update: For a technical explanation & more elegant implementation see

Update #2: Firefox addons can also be detected without javascript; see
The poc on that page longer works, here's one that does:

No comments:

Post a Comment