[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Vulners Web Scanner

Version 3.0.1 View in Chrome Web Store

Last scanned: about 3 hours ago

Extension Details

Rating: 4.4 ★ (21 ratings)

Users: 9,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a moderate user base of 9,000 users with a solid 4.4-star rating from 21 reviews, suggesting generally positive user experiences. However, the limited number of reviews relative to the user base raises some questions about user engagement. The extension appears to be a legitimate security tool for web vulnerability scanning, which would justify some of its extensive permissions.

Concerns:

The extension requests extremely broad permissions that create significant security risks. The combination of tabs, webRequest permissions, and universal host access (*://*/*) gives this extension unprecedented control over all web browsing activity. It can intercept, monitor, and potentially modify all web traffic across every website visited. While these permissions may be necessary for vulnerability scanning functionality, they also create substantial potential for abuse. The webRequest permission is particularly concerning as it allows complete interception of network communications, including sensitive data like login credentials and personal information.

Recommendations:

Given the high-risk nature of these permissions, install this extension only in a dedicated Chrome profile used specifically for security testing activities. Never use this profile for personal browsing, banking, or accessing sensitive accounts. Regularly review the extension's activity and remove it when not actively needed for security assessments. Consider whether the vulnerability scanning functionality justifies the extensive access to your browsing data.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

tabs
webRequest
storage

Host Permissions:

*://*/*

Embedded URLs (29 total):

https://fonts.googleapis.com	https://fonts.gstatic.com
https://fonts.googleapis.com/css2?family=IBM+Plex+Sans:wght@300&display=swap	https://fonts.googleapis.com/css?family=Roboto:300
https://vulners.com/api/v3/burp/rules/?utm_source=scanner&utm_medium=chromePlugin&utm_campaign=scan	https://vulners.com/api/v3/burp/software/?utm_source=scanner&utm_medium=chromePlugin&utm_campaign=scan
https://github.com/mozilla/webextension-polyfill/issues/130#issuecomment-484772327	https://vulners.com
http://127.0.0.1:9001	https://vulners.com/api/v3/apiKey/valid/
https://clients2.google.com/service/update2/crx	http://127.0.0.1:9001/
http://fb.me/use-check-prop-types	https://reactjs.org/docs/error-decoder.html?invariant=
http://www.w3.org/1999/xlink	http://www.w3.org/XML/1998/namespace
http://www.w3.org/1999/xhtml	http://www.w3.org/2000/svg
http://www.w3.org/1998/Math/MathML	https://reactjs.org/link/react-polyfills
https://github.com/mobxjs/mobx/blob/main/packages/mobx/src/errors.ts	https://material-ui.com/production-error/?code=
https://vulners.com?utm_source=scanner&utm_medium=chromePlugin&utm_campaign=scan	https://vulners.com/api-keys#web-extension
https://vulners.com/api-keys	https://vulners.com/
https://github.com/vulnersCom/detect-rules	https://docs.vulners.com
https://github.com/cssinjs/jss

Raw Manifest

{
  "name": "Vulners Web Scanner",
  "icons": {
    "16": "img/icon.png",
    "48": "img/icon.png",
    "128": "img/icon.png"
  },
  "action": {
    "default_icon": {
      "16": "img/icon.png",
      "24": "img/icon.png",
      "32": "img/icon.png"
    },
    "default_popup": "index.html",
    "default_title": "Vulners Web Scanner"
  },
  "author": "vulners.com",
  "version": "3.0.1",
  "background": {
    "service_worker": "background.js"
  },
  "short_name": "Vulners Web scanner",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Tiny vulnerability scanner based on vulners.com vulnerability database. Passively scan websites while you surf internet!",
  "permissions": [
    "tabs",
    "webRequest",
    "storage"
  ],
  "content_scripts": [
    {
      "js": [
        "utils.js",
        "content.js"
      ],
      "matches": [
        "http://*/*",
        "https://*/*"
      ]
    }
  ],
  "host_permissions": [
    "*://*/*"
  ],
  "manifest_version": 3,
  "externally_connectable": {
    "matches": [
      "https://*.vulners.com/*",
      "http://127.0.0.1:9001/*"
    ]
  }
}

by ✦ Astarte

Vulners Web Scanner

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (29 total):

Raw Manifest

Detections

Manifest Findings