Episode 95: In this episode of Critical Thinking - Bug Bounty Podcast In this episode, Justin is joined by MatanBer to delve into the intricacies of browser extensions. We talk about the structure and threat models, and cover things like service workers, extension pages, and isolated worlds.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Sponsor - AssetNote. Listen to their podcast https://www.criticalthinkingpodcast.io/sspod
Today’s Guest: https://x.com/MtnBer
Resources
Universal Code Execution by Chaining Messages in Browser Extensions
https://spaceraccoon.dev/universal-code-execution-browser-extensions/
DOMLogger++
https://github.com/kevin-mizu/domloggerpp
BBRE Metamask bug
https://youtu.be/HnI0w156rtw?si=QixP8SX6JuRFz6PA
Bench Press: Leaking Text Nodes with CSS
https://blog.pspaul.de/posts/bench-press-leaking-text-nodes-with-css/
Timestamps:
(00:00:00) Introduction
(00:03:08) Structure & Threat Model for Browser Extension
(00:28:28) Extension Attack scenarios
(01:01:26) Attacking Extension Pages
(01:26:35) Attacking Service Workers
(01:46:23) Getting source code and dynamic debugging