ZAP by Checkmarx Browser Extension
Version 0.0.11 View in Chrome Web Store
Last scanned: 9 months ago
| force re-scan
Extension Details
Developer:
zaproxy.org
Rating:
4.6 ★
Size:
502KiB
Last Updated:
January 21, 2025
Users:
19
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
HIGH
Overall Risk
Trust Factors:
- The extension is developed by zaproxy.org, which is a reputable organization in the cybersecurity community, known for their open-source web application security scanner.
- The extension has a relatively high rating of 4.6 stars, indicating positive user feedback.
- However, the extension has a relatively low number of users (19), which could be a concern.
Concerns:
- The extension requests broad host permissions (http://*/*, https://*/*), allowing it to access all websites. This is a significant privacy and security risk, as it could potentially be used to track browsing activity or steal sensitive data.
- The extension has the "tabs" permission, which allows it to access and manipulate browser tabs. This could potentially be misused to compromise security or privacy.
- The extension has the "cookies" permission, which allows it to access and modify browser cookies. This could potentially be used to compromise user accounts or steal sensitive information.
- The extension has the "storage" permission, which allows it to store data locally. While this is a medium-risk permission, it could potentially be used to store sensitive information insecurely.
Recommendations:
- Given the high-risk permissions and broad host permissions, it is recommended to exercise caution when using this extension.
- If you decide to use this extension, consider running it in a separate browser profile or a dedicated browser instance to isolate it from your main browsing activity.
- Regularly review the extension's permissions and update it only from trusted sources to mitigate potential security risks.
- Monitor the extension's behavior and uninstall it if you notice any suspicious activity or performance issues.
- Consider using alternative security tools or extensions from well-known and trusted sources, if available.
Findings
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
High-Risk Permission: cookies
This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.
HIGH
High-Risk Permission: tabs
This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
Security Analysis Details
Required Permissions:
- tabs
- cookies
- storage
Host Permissions:
- http://*/*
- https://*/*
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self'
Embedded URLs (7 total):
| http://www.w3.org/2000/svg | https://fonts.googleapis.com/css?family=Nunito:400 | |
| https://npm.im/webext-base-css | https://github.com/facebook/regenerator/blob/main/LICENSE | |
| https://github.com/zaproxy/zest/ | https://clients2.google.com/service/update2/crx | |
| https://github.com/zaproxy/browser-extension/ |
Raw Manifest
{ "name": "ZAP by Checkmarx Browser Extension", "icons": { "16": "assets/icons/zap16x16.png", "32": "assets/icons/zap32x32.png", "48": "assets/icons/zap48x48.png", "128": "assets/icons/zap128x128.png", "512": "assets/icons/zap512x512.png" }, "action": { "chrome_style": false, "default_icon": { "16": "assets/icons/zap16x16.png", "32": "assets/icons/zap32x32.png", "48": "assets/icons/zap48x48.png", "128": "assets/icons/zap128x128.png", "512": "assets/icons/zap512x512.png" }, "default_popup": "popup.html", "default_title": "ZAP by Checkmarx" }, "author": "ZAP Core Team", "version": "0.0.11", "background": { "service_worker": "js/background.bundle.js" }, "options_ui": { "page": "options.html", "open_in_tab": true }, "short_name": "ZAP by Checkmarx", "update_url": "https://clients2.google.com/service/update2/crx", "description": "A browser extension which allows ZAP to access the client side of a web app.", "permissions": [ "tabs", "cookies", "storage" ], "homepage_url": "https://github.com/zaproxy/browser-extension/", "options_page": "options.html", "content_scripts": [ { "js": [ "js/contentScript.bundle.js" ], "matches": [ "http://*/*", "https://*/*" ] } ], "host_permissions": [ "http://*/*", "https://*/*" ], "manifest_version": 3, "minimum_chrome_version": "113", "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'" }, "web_accessible_resources": [ { "matches": [ "http://*/*", "https://*/*" ], "resources": [ "assets/fonts/Roboto-Regular.ttf" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
Loading Secure Annex data...
Unable to load Secure Annex data.
This extension may not yet be analyzed by Secure Annex.
Detections
0Critical
0
High
0
Medium
0
Low
0
Has Verdicts
Yes
Manifest Findings
0Critical
0
High
0
Medium
0
Low
0
Secure Annex analyzed version: -