News

Published on March 8th, 2012 📆 | 8032 Views ⚑

0

XSS ChEF – Chrome Extension Exploitation Framework

Text to Speech
This is a Chrome Extension Exploitation Framework - think BeEF for Chrome extensions. Whenever you encounter a XSS vulnerability in Chrome extension, ChEF will ease the exploitation.

What can you actually do (when having appropriate permissions)?

Monitor open tabs of victims
Execute JS on every tab (global XSS)
Extract HTML, read/write cookies (also httpOnly), localStorage
Get and manipulate browser history
Stay persistent until whole browser is closed (or even futher if you can persist in extensions' localStorage)
Make screenshot of victims window
Further exploit e.g. via attaching BeEF hooks, keyloggers etc.
Explore filesystem through file:// protocol
Bypass Chrome extensions content script sandbox to interact directly with page JS

Demo:
See https://youtu.be/KmIG2EKLP2M for a demonstrational video.
BeEF hooking: https://youtu.be/uonVWh0QO1A

Download and more info: https://github.com

Tagged with: chrome • exploitation • extension • framework

Comments are closed.

🌟 Your Account

Username/Email Password
Remember Me
Register
🔔 Email Subscriptions

Get new posts by email
- Donate Via Wallets
  MetaMask
  
  Trust Wallet
  
  Binance Wallet
  
  WalletConnect
Popular
- New Emerging APT Threat Exploiting WinRAR Flaw by Admin November 16, 2023 Nov 16, 2023NewsroomAdvanced Persistent Threat / Zero-Day A hacking group… (8)
- CISA Has a New Road Map for Handling Weaponized AI by Admin November 15, 2023 Last month, a 120-page United States executive order laid out… (7)
- WordPress UserPro 5.1.x Password Reset /… by Admin November 22, 2023 Vulnerability Details & Technical AnalysisPassword Reset to Privilege Escalation using… (6)
- Red Hat Security Advisory 2023-7667-03 – Torchsec by Admin December 8, 2023 The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7667.jsonRed Hat officially shut… (5)
Gloss
- Washington Times News Today on Iranian Hackers Launches Destructive Cyberattacks on Israeli Tech and Education Sectors
- Lucas Herry on This Is the Ops Manual for the Most Tech-Savvy Animal Liberation Group in the US
- 126rt.com on Iranian Hackers Launches Destructive Cyberattacks on Israeli Tech and Education Sectors
- robwks on Ubuntu Security Notice USN-6423-2 – Torchsec
- julidyt on ChurchCRM 4.5.4 SQL Injection – Torchsec
- julinpk on Red Hat Security Advisory 2023-5714-01 – Torchsec
- julihnu on A New Protocol Vulnerability Will Haunt the Web for Years
- irinhha on A New Protocol Vulnerability Will Haunt the Web for Years
- irintti on A New Protocol Vulnerability Will Haunt the Web for Years
- irinkum on A New Protocol Vulnerability Will Haunt the Web for Years
☕️Social Media

Torchsec

Tweets by Torch_sec
👥Members

Newest | Active | Popular
- Sherlene Dettmann
  
  registered 22 hours, 54 minutes ago
- Latoya Ludwig
  
  registered 1 day, 4 hours ago
- Lenard Pedersen
  
  registered 1 day, 4 hours ago
- Emory Nowacki
  
  registered 1 day, 21 hours ago
- Mari Rede
  
  registered 1 day, 21 hours ago
🌍 Forum Groups

Newest | Active | Popular | Alphabetical
- Help Me !!
  
  active 22 hours, 54 minutes ago
- Comments & Suggestions
  
  active 22 hours, 54 minutes ago
- Pentest Tools
  
  active 22 hours, 54 minutes ago
- Programming & coding
  
  active 22 hours, 54 minutes ago
- General Talk
  
  active 22 hours, 54 minutes ago
linktr.ee/obewyn

We share and comment on interesting infosec related news, tools and more. Follow us on RSS ,Facebook or Twitter for the latest updates. Torchsec is designed to help Auditors, Pentesters & Security Experts to keep their ethical hacking oriented toolbox up-to-date .
This website is made for educational and ethical testing purposes only。It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this website.

Archives

© Torchsec Privacy Policy Disclaimer T&C

Back to Top ↑