Nice work by Jenish Sojitra and Uttam Sabhadiya

I have been missing an alternative for crxcavator for a while.

https://crxplorer.com/

Take the results from crxplorer with a pinch of salt, the hallucination inducing ones, for now. There is LLM's involved.

Still I'm happy that there is a working alternative that allows me to quickly view the source code of a extensions. If only so I can say "5000k lines of javascript dependencies, no not trusting that".

#crxcavator #chrome #extensions #chromextension

Oh no, it seems https://crxcavator.io/ has stopped working. Anyone know anyone at @ duo or cisco who could look into getting it restored?

it was my go-to place to check on the wild west of chromium extensions

#duosecurity #cisco #chrome #extensions #crxcavator

Today I discovered #CRXcavator, a web service that will assign a “risk score” to a browser extension to aid your decisions. In particular, it will assign a score to the extension’s privileges: “high” for http://*/* or https://*/* and “critical” for <all_urls>. I mean, the latter also gives browser extensions access to … *checks notes* … highly sensitive about:blank frames!

But none of this really matters as the risk score from permissions is by far shadowed by the risk score from the content security policy. Which content security policy? The default content security policy of course, it’s immensely risky! It still allows compromised extensions to … I don’t know … load ridiculous images from remote servers?

By the way, did you notice how many browser extensions communicate with https://www.w3.org/1999/xlink? Must be some evil spying endpoint.

Why do people without a clue have this urge to educate others about risks? So much so that they build a product around it. 🤡

Edit: I *think* that the huge risk score of the Content Security Policy is mostly because VirusTotal and ThreatExchange have no data on 'self'.