Vimal Jyothi Engineering College
Abusing Exploiting and
Pwning with Firefox Addons.
Firefox Add-on Structure
Firefox Add-on Security Model
Exploiting the Weakness
Proof of Concept.
Techniques used by attackers for Spreading the Add-on.
Firefox is an awesome Web Browser.
Second most used browser according to
Add-on makes it more awesome.
Firefox supports variety of languages for add-on
Internet Explorer 3
Browser Usage Statistics
Bare Minimum Requirements for a Firefox Add-on.
chrome.manifest: Register the location of
the contents with the Chrome engine.
overlay.xul: XML User Interface defines
install.rdf: Gives general information
about the add-on.
overlay.js: This file consists of the scripts
that runs in the browser engine.
Firefox Add-on Security Model
Absolutely no mechanisms to restrict the privileges of add-on.
Add-on code is fully trusted, not much security checks.
No restrictions on Inter Add-on Communication.
There is no sandboxing or isolation of the running codes.
No restrictions on malicious Cross Origin Resource Sharing.
Abuse “document.addEventListener();” = Keylogger
Abuse File I/O of XPConnect = Read from a confidential file, Run an executable
Hook scripts into Firefox Engine = Access to everything in the Webpages.
No restrictions of Add-on Privileges = Make changes to files, Grab session data.
Abuse XHR object = Exchange of commands/data between a victim and
By abusing CORS and WebSocket = DDoS
Platform independent Keylogger add-on.
It hooks into the browser interface and capture the keystrokes from
all the tabs and send it to a php script for processing.
Bypass anti-keyloggers like KeyScrambler and On Screen
Undetectable against Anti-Virus Solutions.
Executable Dropper & TCP Reverse Shell
We can embed and execute an EXE file from an add-on.
This add-on is embedded with an executable reverse shell.
Here we abuse the Process and Thread management features of
XPConnect to execute a reverse shell.
Later an attacker will listen to this reverse TCP connection and
execute system commands.
Most AV’s wont detect since the executable is packed inside the
Firefox is having a built-in Session Store feature that saves your
session data in a file named "sessionstore.js".
Stealing that file will steal the entire session.
Attacker can upload the “sessionstore.js” file to an FTP account.
AV’s won’t detect.
Linux Password Stealer
Abuse XPConnect and read the Linux Password files (passwd and shadow).
With XHR Object the content is send to the remote attacker.
AV’s Won’t detect.
Distributed Denial of Service
Abuse the CORS and WebSocket = DDoS
Firefox does not impart any restrictions on Cross Domain requests.
WebSocket --> numerous Socket connections.
XHR Object -->numerous GET requests with a fake parameter and random values.
'Access-Control-Allow-Origin' header bypassed.
Techniques Used By Attackers for Spreading
Crafted webpage with add-on installation as the
Cross Site Scripting
Never trsust 3rd party addons.
Update Firefox to latest stable build.
Keep a good and regularly updated Anti-Virus & Firewall solutions.
Keylogger Beater Add-on
Reverse and analyze the code.
Disable Session data storing in Firefox.
about:config => browser.sessionstore.resume_from_crash => false
Don’t run Firefox with root privilege.
Use a safe and configured proxy to block reverse TCP and FTP connections
The DDoS attempts can be effectively blocked by analyzing, restricting, and filtering COR's
Firefox is great platform with wonderful capabilities to start coding, same applies to
So i had demonstrated the weakness of Firefox Security Architecture with the POC Add-
AV's are helpless and Filters are Bypassed.
Now it's the part of AV's and Firefox Team to make your browsing environment more
There’s no such thing as a “safe system” – only safer systems.