DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
[Wroclaw #6] Introduction to desktop browser add-ons
1. Introduction to desktop browser add-ons.
Explanation the process of moderation.
Most frequent attack vectors and good
practices for developers.
Wojtek Zieliński
7. Moderation process
1. Check metadata: summary, description, category,
service, support, source code, icons, screenshots, etc.
2. Acceptance criteria:
– Must perform as described
– Screenshots, description, category
– Private information
– Remote code execution
– Obfuscation
3. Code review
8. Moderation process /
Static code review
New and upgrades
Redundant files, permission, comments
• Code performance
• Thieving data
• Proposing fix
• Bad programming techniques, attacks, malware code
• Cooperation
Additional testing
Automation
9. Vulnerability in extensions
– External scripts (http, m-i-m)
– Parsing JSON using eval()
– Passing strings to setTimeout() and setInterval()
– Inserting untrusted data into Event Handler
– Using InnerHTML
– Bugs in third party libraries jQuery
– A bunch of other XSS attacks