Damn Vulnerable Browser Extension (DVBE), previously named as Badly Coded Browser Extension (BCBE), is an open-source Chrome Extension created to raise awareness among developers and security professionals regarding the security challenges posed by browser extensions. It is a vulnerable notes taking extension. DVBE will help you to uncover the file structure of extensions, vulnerabilities that are found are in browser extensions and how can we find these vulnerabilities. This open-source tool was presented in BlackHat Middle East & Africa in 2023 at the Arsenal Stage.
It is really easy to use this extension on your browser. Just follow the steps below:
- Download the extension
- In Chrome Browser, go to chrome://extensions
- Turn on Developer Mode
- Click on Load Unpacked and load the extension
DVBE includes the following files and folders:
- manifest.json
- popup.js
- popup.html
- popup.css
- Jquery
- Icons
These files include things like all the permissions, extension description and version, the logic that is being used to run the extension.
- https://courses.csail.mit.edu/6.857/2019/project/6-Li-Rosales-Yang.pdf
- https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/38394.pdf
- https://developer.chrome.com/docs/extensions/mv3/security/
- https://arxiv.org/ftp/arxiv/papers/1403/1403.3235.pdf
If the extension does not load, look for errors in chrome://extensions
This tool is created purely for learning and educational purposes. I will not be responsible for any harmful actions.
- Shoutout to all the amazing researchers who have worked on browser extension security previously
Please feel free to contribute to the tool. The write up for the tool will be published once the tool is released publicly.