Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

An Empirical Study of JavaScript Inclusion Security Issues in Chrome Extensions

Chong Guan

TL;DR

The paper addresses the security of JavaScript inclusions in Chrome extensions, an area less explored than web pages, by employing a hybrid static/dynamic analysis to systematically enumerate inclusions across a large extension corpus. It demonstrates that while most inclusions are local, a non-trivial set of remote inclusions pose arbitrary-code-execution risks, and that a substantial fraction of extensions rely on outdated or vulnerable libraries, notably jQuery. Key contributions include a measurement framework, a vulnerability taxonomy for remote inclusions, and library usage insights with concrete prevalence figures (e.g., 21.88% of extensions loading vulnerable libraries). The findings have practical implications for extension security auditing, developer guidance, and platform-level mitigations, and point to future work extending the approach to other browsers and addressing detection gaps in dynamic ContentScripts.

Abstract

JavaScript, a scripting language employed to augment the capabilities of web browsers within web pages or browser extensions, utilizes code segments termed JavaScript inclusions. While the security aspects of JavaScript inclusions in web pages have undergone substantial scrutiny, a thorough investigation into the security of such inclusions within browser extensions remains absent, despite the divergent security paradigms governing these environments. This study presents a systematic measurement of JavaScript inclusions in Chrome extensions, employing a hybrid methodology encompassing static and dynamic analysis to identify these inclusions. The analysis of 36,324 extensions revealed 350,784 JavaScript inclusions. Subsequent security assessment indicated that, although the majority of these inclusions originate from local files within the extensions rather than external servers, 22 instances of vulnerable remote JavaScript inclusions were identified. These remote inclusions present potential avenues for malicious actors to execute arbitrary code within the extension's execution context. Furthermore, an analysis of JavaScript library utilization within Chrome extensions disclosed the prevalent use of susceptible and outdated libraries, notably within numerous widely adopted extensions.

An Empirical Study of JavaScript Inclusion Security Issues in Chrome Extensions

TL;DR

The paper addresses the security of JavaScript inclusions in Chrome extensions, an area less explored than web pages, by employing a hybrid static/dynamic analysis to systematically enumerate inclusions across a large extension corpus. It demonstrates that while most inclusions are local, a non-trivial set of remote inclusions pose arbitrary-code-execution risks, and that a substantial fraction of extensions rely on outdated or vulnerable libraries, notably jQuery. Key contributions include a measurement framework, a vulnerability taxonomy for remote inclusions, and library usage insights with concrete prevalence figures (e.g., 21.88% of extensions loading vulnerable libraries). The findings have practical implications for extension security auditing, developer guidance, and platform-level mitigations, and point to future work extending the approach to other browsers and addressing detection gaps in dynamic ContentScripts.

Abstract

JavaScript, a scripting language employed to augment the capabilities of web browsers within web pages or browser extensions, utilizes code segments termed JavaScript inclusions. While the security aspects of JavaScript inclusions in web pages have undergone substantial scrutiny, a thorough investigation into the security of such inclusions within browser extensions remains absent, despite the divergent security paradigms governing these environments. This study presents a systematic measurement of JavaScript inclusions in Chrome extensions, employing a hybrid methodology encompassing static and dynamic analysis to identify these inclusions. The analysis of 36,324 extensions revealed 350,784 JavaScript inclusions. Subsequent security assessment indicated that, although the majority of these inclusions originate from local files within the extensions rather than external servers, 22 instances of vulnerable remote JavaScript inclusions were identified. These remote inclusions present potential avenues for malicious actors to execute arbitrary code within the extension's execution context. Furthermore, an analysis of JavaScript library utilization within Chrome extensions disclosed the prevalent use of susceptible and outdated libraries, notably within numerous widely adopted extensions.

Paper Structure

This paper contains 22 sections, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. JavaScript Inclusion
  4. Architecture of Chrome Extension
  5. JavaScript Inclusion in Chrome Extension
  6. Data Collection
  7. Extension Collection
  8. JavaScript Detection
  9. Analysis Results
  10. Chrome Extensions
  11. General JavaScript Statistics
  12. Vulnerabilities in Remote JavaScript Inclusion
  13. Library Analysis
  14. Library Identification
  15. Jquery Versions In Chrome Extension
  16. ...and 7 more sections

Figures (5)

  • Figure 1: The Architecture of Chrome Extensions
  • Figure 2: The Count of Extensions with Different Attributes
  • Figure 3: JavaScript Inclusion Frequency in Dynamic and Static Methods
  • Figure 4: Jquery Version Distribution
  • Figure 5: The lag days of JavaScript Libraries in Chrome Extensions