Right click "Add to Firefox" button and use "save as..". This will get you an xpi file which you can unzip and inspect.
Many addons will use some packing method, bundle all kinds of stuff into their content scripts (jQuery, etc.). It can be hard to review.
Some addons are quite horryfying (you see stuff like `<span ...>${someText}</span>`) (missing escaping, etc.). I'm quite sure there are some content scripts out there, that have XSS issues, that can be triggered from the page itself. This is great on pages like github, where there's quanta of user controlled content.
So if you want a suggestion for a clever attack:
1] make an extension for facebook or twitter or github that reorganizes the wall somewhat and make a `mistake` like assigning some user controlled content via innerHTML. This will probably pass review.
2] Suggest your addon to your target.
3] Post your payload as a message/tweet/whatever to your target. Now you have extension assisted XSS.
Pretty easy to add XSS to any page, with plausible deinability.
Many addons will use some packing method, bundle all kinds of stuff into their content scripts (jQuery, etc.). It can be hard to review.
Some addons are quite horryfying (you see stuff like `<span ...>${someText}</span>`) (missing escaping, etc.). I'm quite sure there are some content scripts out there, that have XSS issues, that can be triggered from the page itself. This is great on pages like github, where there's quanta of user controlled content.
So if you want a suggestion for a clever attack:
1] make an extension for facebook or twitter or github that reorganizes the wall somewhat and make a `mistake` like assigning some user controlled content via innerHTML. This will probably pass review.
2] Suggest your addon to your target.
3] Post your payload as a message/tweet/whatever to your target. Now you have extension assisted XSS.
Pretty easy to add XSS to any page, with plausible deinability.