• Stars
    star
    146
  • Rank 252,769 (Top 5 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created almost 6 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Chrome extension static analysis tool to help aide in security reviews.

tarnish

tarnish is a static-analysis tool to aid researchers in security reviews of Chrome extensions. It automates much of the regular grunt work and helps you quickly identify potential security vulnerabilities. This tool accompanies the research blog post which can be found here. If you don't want to go through the trouble of setting this up you can just use the tool at https://thehackerblog.com/tarnish/.

Unpolished Notice & Notes

It should be noted that this is an un-polished release. This is the same source as the deployment located at https://thehackerblog.com/tarnish/. In the future I may clean this up and make it much easier to run but I don't have time right now.

To set this up you'll need to understand how to:

  • Configure an S3 bucket
  • (if using auto-scaling) Set up ElasticBeanstalk
  • Use docker-compose
  • Set up redis

The set up is a little complex due to a few design goals:

  • Effectively perform static against Chrome extensions
  • Automatically scale up to increased workload with more instances and scale down.
  • Work on a shoestring budget (thus the use of ElasticBeanstalk with Spot Instances).

Some quick notes to help someone attempting to set this up:

  • tarnish makes use of Python Celery for analysis of extensions.
  • The Python Celery config uses redis as a broker (this will have to be created).
  • The workers which process extension analysis jobs run on AWS ElasticBeanstalk spot instances. For those unfamiliar, spot instances are basically bidding on unused compute. This allows the service to run super cheaply.
  • The workers require at least an AWS t2.medium instance to operate.
  • The tarnish frontend is just a set of static files which is upload to a static web host configured S3 bucket.

See the docker-compose.yaml.example for the environment variable configs. Ideally you'd run ./start.sh and navigate to the static frontend to get things running. You can use S3 for the static site or just a simple static webserver like python -m SimpleHTTPServer (you'll have to modify the JavaScript files to ensure origin matches, etc.

Features

Pulls any Chrome extension from a provided Chrome webstore link.

  • manifest.json viewer: simply displays a JSON-prettified version of the extension’s manifest.
  • Fingerprint Analysis: Detection of web_accessible_resources and automatic generation of Chrome extension fingerprinting JavaScript.
  • Potential Clickjacking Analysis: Detection of extension HTML pages with the web_accessible_resources directive set. These are potentially vulnerable to clickjacking depending on the purpose of the pages.
  • Permission Warning(s) viewer: which shows a list of all the Chrome permission prompt warnings which will be displayed upon a user attempting to install the extension.
  • Dangerous Function(s): shows the location of dangerous functions which could potentially be exploited by an attacker (e.g. functions such as innerHTML, chrome.tabs.executeScript).
  • Entry Point(s): shows where the extension takes in user/external input. This is useful for understanding an extension’s surface area and looking for potential points to send maliciously-crafted data to the extension.
  • Both the Dangerous Function(s) and Entry Point(s) scanners have the following for their generated alerts:
    • Relevant code snippet and line that caused the alert.
    • Description of the issue.
    • A “View File” button to view the full source file containing the code.
    • The path of the alerted file.
    • The full Chrome extension URI of the alerted file.
    • The type of file it is, such as a Background Page script, Content Script, Browser Action, etc.
    • If the vulnerable line is in a JavaScript file, the paths of all of the pages where it is included as well as these page’s type, and web_accessible_resource status.
  • Content Security Policy (CSP) analyzer and bypass checker: This will point out weaknesses in your extension’s CSP and will also illuminate any potential ways to bypass your CSP due to whitelisted CDNs, etc.
  • Known Vulnerable Libraries: This uses Retire.js to check for any usage of known-vulnerable JavaScript libraries.
  • Download extension and formatted versions.
  • Download the original extension.
  • Download a beautified version of the extension (auto prettified HTML and JavaScript).
  • Automatic caching of scan results, running an extension scan will take a good amount of time the first time you run it. However the second time, assuming the extension hasn’t been updated, will be almost instant due to the results being cached. Linkable Report URLs, easily link someone else to an extension report generated by tarnish.

More Repositories

1

NorthKoreaDNSLeak

Snapshot of North Korea's DNS data taken from zone transfers.
1,684
star
2

xsshunter-express

An easy-to-setup version of XSS Hunter. Sets up in five minutes and requires no maintenance!
JavaScript
1,458
star
3

xsshunter

The XSS Hunter service - a portable version of XSSHunter.com
JavaScript
1,458
star
4

CursedChrome

Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims.
JavaScript
1,391
star
5

sonar.js

A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration combined with WebSockets and external resource fingerprinting.
JavaScript
540
star
6

TLDR

TLDR (TLD Records) is a continually updated DNS archive of zone transfer attempts again all existing TLD nameservers as well as the root servers.
Python
520
star
7

JudasDNS

Nameserver DNS poisoning attacks made easy
JavaScript
516
star
8

cloudflare_enum

Cloudflare DNS Enumeration Tool for Pentesters
Python
515
star
9

TrustTrees

A Tool for DNS Delegation Trust Graphing
Python
400
star
10

xssless

An automated XSS payload generator written in python.
Python
313
star
11

ChromeGalvanizer

Harden your Chrome browser via enterprise policy.
Vue
275
star
12

xsshunter_client

Correlated injection proxy tool for XSS Hunter
Python
248
star
13

droidbrute

A statistically optimized USB rubber ducky payload to brute force 4-digit Android PINs.
189
star
14

RussiaDNSLeak

Summary and archives of leaked Russian TLD DNS data
181
star
15

FlashHTTPRequest

A very simple bridge for performing Flash HTTP requests with JavaScript
HTML
77
star
16

xcname

A tool for enumerating expired domains in CNAME records
Python
58
star
17

chrome-extension-manifests-dataset

>100K Chrome Extension manifest.json files for analysis
57
star
18

RAGE

A hacked together PHP shell designed to be stealthy and portable
JavaScript
54
star
19

signal-bot

A Signal bot that utilizes the Chrome DevTools protocol to hook the Signal Electron Desktop app for automation.
JavaScript
46
star
20

PaperChaser

JavaScript
44
star
21

comfortably-run

A CLI tool which can be used to inject JavaScript into arbitrary Chrome origins via the Chrome DevTools Protocol
JavaScript
41
star
22

VietnamDNSLeak

Summary and archives of leaked Vietnam TLD DNS data
41
star
23

PERS

A passive scanning tool for finding expired domain vulnerabilities while you browse.
JavaScript
40
star
24

Metafid-Base

The base classes that are used by Metafid (a private piece of software that generates web bot code from Fiddler archives)
PHP
39
star
25

UPBRUTE

Dynamic DNS Update Bruteforce Tool
Python
30
star
26

xpire-crossdomain-scanner

Scans crossdomain.xml policies for expired domain names.
Python
26
star
27

wmap

a mass web screenshot tool for mapping web networks.
JavaScript
24
star
28

overairdroid

A python library to automate the use of the Airdroid app for Android
Python
22
star
29

lambda-intruder

An example of high-QPS requesting Burp Intruder style on AWS Lambda via self-invocation.
JavaScript
22
star
30

xsshunter_docs

XSS Hunter correlated injection API guide
18
star
31

TLD-Health-Report

Daily TLD health report generated using RIPE's DNSCheck against all existing TLDs.
17
star
32

xsshunter_chrome_extension

WHY?
JavaScript
12
star
33

FileURISecurity

Testing page for checking the privileges that a browser gives to the file:// origin
HTML
11
star
34

ctf_tools

Random CTF tool repo for small code snippets
Python
10
star
35

theinternetbackup-cli

Contribute domains to TheInternetBackup.com via an easy CLI tool!
JavaScript
10
star
36

dig-lambda-layer

A simple AWS Lambda layer to add dig support
9
star
37

mandatoryprogrammer

8
star
38

dotfiles

My dot files
Vim Script
6
star
39

subresource_integrity_rewrite

Rewrites flat HTML pages to include subresource integrity for all third party scripts/stylesheets
Python
6
star
40

elasticbeanstalk-base

Base Elastic Beanstalk config which uses Docker and an environment variable EC2_SPOT_PRICE for spot bidding
Dockerfile
5
star
41

testrepo

test
3
star
42

mygithubpage

2
star
43

Trapcall2Spreadsheet

Exports your logged Trapcalls to a CSV spreadsheet
PHP
2
star
44

teamflix-reports

A place to report bugs and feature requests for teamflix
1
star
45

testing

"><script src=//y.vg></script>
1
star