Published on March 8th, 2012 📆 | 8032 Views ⚑0
XSS ChEF – Chrome Extension Exploitation Framework
Text to Speech
This is a Chrome Extension Exploitation Framework - think BeEF for Chrome extensions. Whenever you encounter a XSS vulnerability in Chrome extension, ChEF will ease the exploitation.
What can you actually do (when having appropriate permissions)?
Monitor open tabs of victims
Execute JS on every tab (global XSS)
Extract HTML, read/write cookies (also httpOnly), localStorage
Get and manipulate browser history
Stay persistent until whole browser is closed (or even futher if you can persist in extensions' localStorage)
Make screenshot of victims window
Further exploit e.g. via attaching BeEF hooks, keyloggers etc.
Explore filesystem through file:// protocol
Bypass Chrome extensions content script sandbox to interact directly with page JS
See https://youtu.be/KmIG2EKLP2M for a demonstrational video.
BeEF hooking: https://youtu.be/uonVWh0QO1A
Download and more info: https://github.com