[tools] XSS ChEF - Chrome Extension Exploitation Framework

Another interesting tool was drawn to my attention yesterday - Chrome Extension Exploitation Framework or XSS ChEF, which exploits XSS vulnerabilities in Chrome extensions. What you can acctualy do with this tool (when you have appropriate privileges):

 - Monitor open tabs of victims
 - Execute JS on every tab (global XSS)
 - Extract HTML, read/write cookies (also httpOnly), localStorage
 - Get and manipulate browser history
 - Stay persistent until whole browser is closed (or even futher if you can persist in extensions localStorage)
 - Make screenshot of victims window
 - Further exploit e.g. via attaching BeEF hooks, keyloggers etc.
 - Explore filesystem through file:// protocol
 - Bypass Chrome extensions content script sandbox to interact directly with page JS

Demo video:

Demo video 2:

More information about XSS ChEF @ : http://blog.kotowicz.net/2012/07/xss-chef-chrome-extension-exploitation.html

Download from github: https://github.com/koto/xsschef

Comments are closed.

top Hackers For Charity