0x01 About
編寫過 Chrome 擴展的開發人員都應該清楚在 crx 後綴的包中, manifest.json 配置清單文件提供了這個擴展的重要信息,crx 後綴文件可以直接使用 unzip 解壓,Windows 下的安裝後解壓的路徑在:C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions ,MacOS 在:cd ~/Library/Application\ Support/Google/Chrome/Default/Extensions ,其中 manifest.json 的樣例:
Default
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
0.7.0_0 cat manifest.json
{
"background": {
"scripts": [ "background.js" ]
},
"content_scripts": [ {
"all_frames": true,
"js": [ "content.js" ],
"matches": [ "http://*/*", "https://*/*", "ftp://*/*", "file:///*" ],
"run_at": "document_end"
} ],
"description": "Validates and makes JSON documents easy to read. Open source.",
"homepage_url": "https://github.com/teocci/JSONView-for-Chrome",
"icons": {
"128": "assets/images/jsonview128.png",
"16": "assets/images/jsonview16.png",
"48": "assets/images/jsonview48.png"
},
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApA/pG/flimvWWAeUelHGaQ+IJajQm01JkfK0EYOJPyfsdTkHLwD3Aw16N3zuFkmwz09DcGDT+ehww7GSpW7RpbX5kHrovsqyHXtwt+a2Sp8bYFFdpRPj3+HG6366kNkwttDHMtsDkwuKaBtrQofQe5Ud9mKu9h1FDPwc2Qql9vNtvOqKFhV+EOD0vD2QlliB6sKCteu4nYBlFEkh6pYWRaXdAYSKYdE1SYIuQzE3dk11+KCaAC1T6GffL3sia8n5brVX7Qd+XtXyBzuM54w5e3STwK7uLMhLGDIzHoTcldzWUUflfwuI86VQIFBxPbvXJKqFFFno+ZHs/S+Ra2SPmQIDAQAB",
"manifest_version": 2,
"minimum_chrome_version": "21",
"name": "JSON Viewer",
"permissions": [ "clipboardWrite", "http://*/", "contextMenus", "https://*/", "ftp://*/" ],
"short_name": "JSONViewer",
"update_url": "https://clients2.google.com/service/update2/crx",
"version": "0.7.0",
"web_accessible_resources": [ "assets/options.html", "assets/csseditor.html", "assets/css/jsonview.css", "assets/css/jsonview-core.css", "assets/css/content_error.css", "assets/images/options.png", "assets/images/close_icon.gif", "assets/images/error.gif" ]
}
可以看到關於這個擴展的 content_scripts, desc, homepage, icons 等等配置信息,其中 manifest_version 字段標明現在的 rule 爲 2.0 版本,在 2012 年 Chrome 便將 1.0 manifest.json 配置版本的擴展禁止新建在應用市場中,但允許更新,直到 2014 年徹底禁用所有的 version 1.0 版本擴展/應用並更新至 2.0,其中一大部分原因是由於新版規則上安全性的提升。
0x02 Manifest
2.0 中關於 CSP 的強制應用,要求開發者配置 content_security_policy ,如果未設置的話則使用 Chrome 的默認 manifest csp 規則;
不同於老版本的規則,crx 下的資源文件不再是默認可用(直接訪問)的圖像、資源、腳本。如果想讓網站能夠加載其資源就必須配置 web_accessible_resources 清單;
刪除 chrome.self API ,使用 chrome.extension 替代;
…
0x03 script <–> onload / onerror
在多年前的 ChromeExtensions 探測中我們可以直接探測靜態資源文件來判斷是否存在,在上面的更新變動中可以看到,如果訪問資源則必須在 web_accessible_resources 中聲明 LIST (可以使用通配符),拿 json-view 舉例:
Default
1
"web_accessible_resources": [ "assets/options.html", "assets/csseditor.html", "assets/css/jsonview.css", "assets/css/jsonview-core.css", "assets/css/content_error.css", "assets/images/options.png", "assets/images/close_icon.gif", "assets/images/error.gif" ]
訪問他們資源的 URL 格式如下:
Default
1
'chrome-extension://' + id + web_accessible_resources
在測試的過程中我們發現大量的擴展禁止了 iframe 內嵌訪問,這裏我們可以使用 script 加載頁面的差異化來判斷是否存在文件:
Default
1
<script src="chrome-extension://aimiinbnnkboelefkjlenlgimcabobli/assets/options.html" onerror="alert(':(')"></script>
0x04 Chrome Extensions Spider
我們編寫了爬蟲獲取整個谷歌商店中的擴展應用(id, name, starts, users, category, url),分類如下:
Default
1
2
3
4
5
6
7
8
9
10
11
12
'ext/10-blogging',
'ext/15-by-google',
'ext/12-shopping',
'ext/11-web-development',
'ext/1-communication',
'ext/7-productivity',
'ext/38-search-tools',
'ext/13-sports',
'ext/22-accessibility',
'ext/6-news',
'ext/14-fun',
'ext/28-photos'
截至 2017年初 谷歌商店擴展應用總數量爲 42658 ,我們將這些 crx 全部進行下載分析其 manifest.json 的編寫規則,發現 12032 個擴展可以探測,在之後的實際測試過程中也發現探測應用的成功率爲 1/3 ~ 1/4 ,比較客觀,保存的 JSON 格式如下:
Default
1
2
3
4
5
{"web_accessible_resources": ["19.png", "48.png", "i/4000.png"], "name": "Facepad for Facebook\u2122", "stars": 497, "id": "cgaknhmchnjaphondjciheacngggiclo", "url": "https://chrome.google.com/webstore/detail/facepad-for-facebook/cgaknhmchnjaphondjciheacngggiclo", "category": "ext/10-blogging", "users": "11,686"},
{"web_accessible_resources": ["reload.js"], "name": "Refresh for Twitter", "stars": 184, "id": "hdpiilkeoldobfomlhipnnfanmgfllmp", "url": "https://chrome.google.com/webstore/detail/refresh-for-twitter/hdpiilkeoldobfomlhipnnfanmgfllmp", "category": "ext/10-blogging", "users": "31,796"},
{"web_accessible_resources": ["main.css", "lstr.js", "script.js", "images/close.png", "images/back.png", "images/icon19.png", "images/play.png", "images/stop.png", "images/prev.png", "images/down.png", "images/next.png", "images/delete.png", "classes/GIFWorker.js"], "name": "MakeGIF Video Capture", "stars": 309, "id": "cnhdjbfjheoohmhpakglckehdcgfffbl", "url": "https://chrome.google.com/webstore/detail/makegif-video-capture/cnhdjbfjheoohmhpakglckehdcgfffbl", "category": "ext/10-blogging", "users": "55,360"},
{"web_accessible_resources": ["js/move.js"], "name": "Postagens Megafilmes 2.1", "stars": 0, "id": "ekennogbnkdbgejohplipgcneekoaanp", "url": "https://chrome.google.com/webstore/detail/postagens-megafilmes-21/ekennogbnkdbgejohplipgcneekoaanp", "category": "ext/10-blogging", "users": "2,408"},
...
0x05 ProbeJS
通過編寫腳本可以加載並探測本地擴展是否存在,雖然需要觸發大量的請求來探測,但由於是訪問本地資源其速度仍然可以接受,我們過濾出 users 1000 以上的擴展來進行篩選探測( testing 函數動態創建並刪除不成功的 dom 探測節點):
Default
1
2
3
4
5
6
7
8
9
10
11
12
13
14
http://server.n0tr00t.com/chrome/ext_probe.html
...
// json data parse
$.get("ext1000up.json" + "?_=" + new Date().valueOf(), function(ext){
for (let n in ext.data) {
var id = ext.data[n].id;
var name = ext.data[n].name;
var war = ext.data[n].web_accessible_resources;
var curl = ext.data[n].url;
testing(id, name, war, curl);
}
$('#loading').remove();
})
...