vFeed


Tools

Published on August 17th, 2012 | by NJ Ouchn

0

XSS ChEF v1.0 – Chrome Extension Exploitation Framework

This is a Chrome Extension Exploitation Framework – think BeEF for Chrome extensions. Whenever you encounter a XSS vulnerability in Chrome extension, ChEF will ease the exploitation.

What can you actually do (when having appropriate permissions)?

  • Monitor open tabs of victims
  • Execute JS on every tab (global XSS)
  • Extract HTML, read/write cookies (also httpOnly), localStorage
  • Get and manipulate browser history
  • Stay persistent until whole browser is closed (or even futher if you can persist in extensions’ localStorage)
  • Make screenshot of victims window
  • Further exploit e.g. via attaching BeEF hooks, keyloggers etc.
  • Explore filesystem through file:// protocol
  • Bypass Chrome extensions content script sandbox to interact directly with page JS

Demo

More Information, Usage & Download

Tags: , , ,


About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"



Back to Top ↑