An Empirical Study of JavaScript Inclusion Security Issues in Chrome Extensions
- URL: http://arxiv.org/abs/2505.19456v1
- Date: Mon, 26 May 2025 03:22:37 GMT
- Title: An Empirical Study of JavaScript Inclusion Security Issues in Chrome Extensions
- Authors: Chong Guan,
- Abstract summary: The analysis of 36,324 Chrome extensions revealed 350,784 JavaScript inclusions.<n>Although the majority of these inclusions originate from local files within the extensions, 22 instances of vulnerable remote JavaScript inclusions were identified.<n>These remote inclusions present potential avenues for malicious actors to execute arbitrary code within the extension's execution context.
- Score: 0.10878040851638002
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: JavaScript, a scripting language employed to augment the capabilities of web browsers within web pages or browser extensions, utilizes code segments termed JavaScript inclusions. While the security aspects of JavaScript inclusions in web pages have undergone substantial scrutiny, a thorough investigation into the security of such inclusions within browser extensions remains absent, despite the divergent security paradigms governing these environments. This study presents a systematic measurement of JavaScript inclusions in Chrome extensions, employing a hybrid methodology encompassing static and dynamic analysis to identify these inclusions. The analysis of 36,324 extensions revealed 350,784 JavaScript inclusions. Subsequent security assessment indicated that, although the majority of these inclusions originate from local files within the extensions rather than external servers, 22 instances of vulnerable remote JavaScript inclusions were identified. These remote inclusions present potential avenues for malicious actors to execute arbitrary code within the extension's execution context. Furthermore, an analysis of JavaScript library utilization within Chrome extensions disclosed the prevalent use of susceptible and outdated libraries, notably within numerous widely adopted extensions.
Related papers
- OpenAgentSafety: A Comprehensive Framework for Evaluating Real-World AI Agent Safety [58.201189860217724]
We introduce OpenAgentSafety, a comprehensive framework for evaluating agent behavior across eight critical risk categories.<n>Unlike prior work, our framework evaluates agents that interact with real tools, including web browsers, code execution environments, file systems, bash shells, and messaging platforms.<n>It combines rule-based analysis with LLM-as-judge assessments to detect both overt and subtle unsafe behaviors.
arXiv Detail & Related papers (2025-07-08T16:18:54Z) - VPI-Bench: Visual Prompt Injection Attacks for Computer-Use Agents [74.6761188527948]
Computer-Use Agents (CUAs) with full system access pose significant security and privacy risks.<n>We investigate Visual Prompt Injection (VPI) attacks, where malicious instructions are visually embedded within rendered user interfaces.<n>Our empirical study shows that current CUAs and BUAs can be deceived at rates of up to 51% and 100%, respectively, on certain platforms.
arXiv Detail & Related papers (2025-06-03T05:21:50Z) - JavaSith: A Client-Side Framework for Analyzing Potentially Malicious Extensions in Browsers, VS Code, and NPM Packages [0.0]
JavaSith is a novel framework for analyzing potentially malicious extensions in web browsers, Visual Studio Code (VSCode), and Node's NPM packages.<n>We present the design and architecture of JavaSith, including techniques for intercepting extension behavior over simulated time.<n>We demonstrate how JavaSith can catch stealthy malicious behaviors that evade traditional detection.
arXiv Detail & Related papers (2025-05-27T14:40:25Z) - Browser Security Posture Analysis: A Client-Side Security Assessment Framework [0.0]
This paper presents a browser-based client-side security assessment toolkit that runs entirely in JavaScript and WebAssembly within the browser.<n>It performs a battery of over 120 in-browser security tests in situ, providing fine-grained diagnostics of security policies and features that network-level or os-level tools cannot observe.<n>We discuss the security and privacy implications of our findings, compare with related work in browser security and enterprise endpoint solutions, and outline future enhancements such as real-time posture monitoring and SIEM integration.
arXiv Detail & Related papers (2025-05-12T20:38:19Z) - A Study on Malicious Browser Extensions in 2025 [0.3749861135832073]
This paper examines the evolving threat landscape of malicious browser extensions in 2025, focusing on Mozilla Firefox and Chrome.<n>Our research successfully bypassed security mechanisms of Firefox and Chrome, demonstrating that malicious extensions can still be developed, published, and executed within the Mozilla Add-ons Store and Chrome Web Store.
arXiv Detail & Related papers (2025-03-06T10:24:27Z) - Fakeium: A Dynamic Execution Environment for JavaScript Program Analysis [3.7980955101286322]
Fakeium is a novel, open source, and lightweight execution environment designed for efficient, large-scale dynamic analysis of JavaScript programs.
Fakeium complements traditional static analysis by providing additional API calls and string literals.
Fakeium's flexibility and ability to detect hidden API calls, especially in obfuscated sources, highlights its potential as a valuable tool for security analysts to detect malicious behavior.
arXiv Detail & Related papers (2024-10-28T09:27:26Z) - Dissecting Adversarial Robustness of Multimodal LM Agents [70.2077308846307]
We manually create 200 targeted adversarial tasks and evaluation scripts in a realistic threat model on top of VisualWebArena.<n>We find that we can successfully break latest agents that use black-box frontier LMs, including those that perform reflection and tree search.<n>We also use ARE to rigorously evaluate how the robustness changes as new components are added.
arXiv Detail & Related papers (2024-06-18T17:32:48Z) - Did I Vet You Before? Assessing the Chrome Web Store Vetting Process through Browser Extension Similarity [3.7980955101286322]
We characterize the prevalence of malware and other infringing extensions in the Chrome Web Store (CWS), the largest distribution platform for this type of software.
Our study reveals significant gaps in the CWS vetting process, as 86% of infringing extensions are extremely similar to previously vetted items.
Our study also reveals that only 1% of malware extensions flagged by the CWS are detected as malicious by anti-malware engines.
arXiv Detail & Related papers (2024-06-01T09:17:01Z) - FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques [53.288368877654705]
FV8 is a modified V8 JavaScript engine designed to identify evasion techniques in JavaScript code.
It selectively enforces code execution on APIs that conditionally inject dynamic code.
It identifies 1,443 npm packages and 164 (82%) extensions containing at least one type of evasion.
arXiv Detail & Related papers (2024-05-21T19:54:19Z) - Manifest V3 Unveiled: Navigating the New Era of Browser Extensions [53.288368877654705]
In 2020, Google announced a shift in extension development with Manifest Version 3 (V3), aiming to replace the previous Version 2 (V2) by January 2023.
This paper presents a comprehensive analysis of the Manifest V3 ecosystem.
arXiv Detail & Related papers (2024-04-12T08:09:26Z) - Static Semantics Reconstruction for Enhancing JavaScript-WebAssembly Multilingual Malware Detection [51.15122099046214]
WebAssembly allows attackers to hide the malicious functionalities of JavaScript malware in cross-language interoperations.
The detection of JavaScript-WebAssembly multilingual malware (JWMM) is challenging due to the complex interoperations and semantic diversity between JavaScript and WebAssembly.
We present JWBinder, the first technique aimed at enhancing the static detection of JWMM.
arXiv Detail & Related papers (2023-10-26T10:59:45Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.