Webcrx
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Webcrx is an awesome utility that allows you to install and test local CRX files in Chrome with permissions management.
Privacy Policy
The extension does not track or transfer any of your data.
Any usage of extension is not tracked.
The extension does not track any websites you visit or search.
No data is transferred to any third party.
All data is stored within your browser and stays within your browser.
Tags
Privacy Practices
Security Analysis — Webcrx
Permissions
Code Patterns Detected
External Connections
Package Contents 21 files · 580KB
What This Extension Does
Webcrx is an extension that allows users to install and test local CRX files in Chrome with permissions management. It solves the problem of easily installing local extensions while ensuring safety. This extension is suitable for developers who need to test their own extensions.
Permissions Explained
- alarmsexpected: This permission allows the extension to schedule notifications and reminders.
Technical: The 'alarms' API provides access to Chrome's notification system, allowing the extension to display alerts and reminders. This could be used for malicious purposes if an attacker were able to inject code into the extension. - storageexpected: This permission allows the extension to store data locally on your device.
Technical: The 'storage' API provides access to Chrome's local storage, allowing the extension to store and retrieve data. This could be used for malicious purposes if an attacker were able to inject code into the extension or steal stored credentials. - unlimitedStoragecheck this: This permission allows the extension to store large amounts of data locally on your device without any storage limits.
Technical: The 'unlimitedStorage' API provides access to Chrome's local storage with no storage limits, allowing the extension to store and retrieve large amounts of data. This could be used for malicious purposes if an attacker were able to inject code into the extension or steal stored credentials. ⚠ 1 - offscreenexpected: This permission allows the extension to create and control off-screen windows.
Technical: The 'offscreen' API provides access to Chrome's ability to create and control off-screen windows, allowing the extension to display content without affecting the main browser window. This could be used for malicious purposes if an attacker were able to inject code into the extension or steal user data. - scriptingexpected: This permission allows the extension to execute scripts in the context of web pages.
Technical: The 'scripting' API provides access to Chrome's ability to execute scripts in the context of web pages, allowing the extension to interact with web content. This could be used for malicious purposes if an attacker were able to inject code into the extension or steal user data. - notificationsexpected: This permission allows the extension to display notifications to the user.
Technical: The 'notifications' API provides access to Chrome's notification system, allowing the extension to display alerts and reminders. This could be used for malicious purposes if an attacker were able to inject code into the extension or steal user data.
Your Data
Webcrx does not collect any user data, but it may store some data locally on your device. It makes requests to various domains for functionality and documentation purposes.
Technical Details
Code Findings
The extension uses the function constructor to execute dynamic code, which could be used for malicious purposes if an attacker were able to inject code into the extension.
Technical: The extension uses the function constructor to create new functions dynamically, allowing it to execute arbitrary code. This is a high-risk behavior that could be exploited by attackers.
💡 This pattern is commonly used in legitimate extensions for dynamic scripting and functionality.
The extension assigns innerHTML to an element, which could potentially be used as a cross-site scripting (XSS) attack vector if the content is not properly sanitized.
Technical: The extension uses innerHTML assignment to set the content of an element. If the content is not properly sanitized, this could allow an attacker to inject malicious code into the page.
💡 This pattern is commonly used in legitimate extensions for dynamic content rendering and updating.
The extension uses String.fromCharCode to obfuscate code, which could make it harder to analyze and understand the extension's behavior.
Technical: The extension uses String.fromCharCode to convert character codes into strings. This is often used for obfuscation or encoding purposes, making it harder to analyze the code.
💡 This pattern is commonly used in legitimate extensions for encoding or formatting data.
The extension makes XHR requests to various domains, which could be used for functionality and documentation purposes.
Technical: The extension uses the XMLHttpRequest object to make requests to the following domains: www.w3.org, github.com, vuejs.org, stuartk.com, raw.github.com, stuk.github.io, webcrx.io, developer.mozilla.org. This is a normal behavior for extensions that need to fetch data or resources.
💡 This pattern is commonly used in legitimate extensions for fetching data or resources from external domains.
The extension creates script elements dynamically, which could be used for malicious purposes if an attacker were able to inject code into the extension.
Technical: The extension uses document.createElement to create new script elements dynamically. This is a high-risk behavior that could be exploited by attackers.
💡 This pattern is commonly used in legitimate extensions for dynamic scripting and functionality.
The extension removes data from browser storage, which could be used to clear user data or prevent tracking.
Technical: The extension uses the chrome.storage API to remove data from local storage. This is a normal behavior for extensions that need to manage user data or preferences.
💡 This pattern is commonly used in legitimate extensions for managing user data or preferences.
The extension creates iframe elements dynamically, which could be used to inject malicious content into the page.
Technical: The extension uses document.createElement to create new iframe elements dynamically. This is a medium-risk behavior that could be exploited by attackers if not properly sanitized.
💡 This pattern is commonly used in legitimate extensions for dynamic content rendering and updating.
The extension uses postMessage to communicate with other domains, which could be used for functionality and documentation purposes.
Technical: The extension uses the window.postMessage method to send messages to other domains. This is a normal behavior for extensions that need to communicate with external domains.
💡 This pattern is commonly used in legitimate extensions for communicating with external domains or services.
The extension sets up event listeners to respond to user interactions, which could be used for functionality and documentation purposes.
Technical: The extension uses the addEventListener method to set up event listeners on various elements. This is a normal behavior for extensions that need to respond to user interactions.
💡 This pattern is commonly used in legitimate extensions for responding to user interactions or events.
Webcrx has some security concerns due to its use of dynamic code execution, potential XSS vectors, and obfuscation. However, it also uses normal behaviors like making XHR requests, creating script elements dynamically, removing from browser storage, creating iframe elements, using postMessage for cross-origin comms, and setting up event listeners. Users should exercise caution when installing this extension and ensure they understand its behavior before granting permissions.
