[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

XHR Request Interceptor

Version 1.0.0 View in Chrome Web Store

Last scanned: 12 days ago | force re-scan

Extension Details

Rating: 5.0 ★ (1 rating)

Users: 185

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors: This extension has several concerning trust indicators. With only 185 users and a single 5-star rating, it lacks the user base validation that comes with more established extensions. The absence of author information and developer details raises transparency concerns. The extension's purpose of intercepting XHR requests is inherently sensitive, as it involves monitoring network communications.

Concerns:

- The combination of declarativeNetRequest permissions with universal host permissions (*://*/*) creates a powerful capability to intercept, modify, or block network requests across all websites

- The broad host permissions are excessive for most legitimate use cases and could enable data harvesting or request manipulation on sensitive sites like banking or email platforms

- Low user adoption combined with high-risk permissions suggests this may be a specialized tool that hasn't undergone community scrutiny

- The lack of developer transparency makes it difficult to assess intentions or contact support if issues arise

- XHR interception capabilities could be misused to steal authentication tokens, API keys, or other sensitive data transmitted via AJAX requests

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to development or testing activities. Only install if you specifically need XHR interception functionality and understand the security implications. Verify the extension's behavior using browser developer tools before using it on sites containing sensitive information. Look for alternative extensions with better transparency and larger user bases if possible.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

Security Analysis Details

Required Permissions:

declarativeNetRequest

Host Permissions:

*://*/*

Embedded URLs (57 total):

https://clients2.google.com/service/update2/crx	https://www.robotstxt.org/robotstxt.html
https://getbootstrap.com/	https://github.com/twbs/bootstrap/blob/main/LICENSE
http://www.w3.org/2000/svg	https://github.com/sass/sass/issues/2383#issuecomment-336349172
https://github.com/necolas/normalize.css	https://github.com/twbs/bootstrap/issues/19402
https://github.com/twbs/bootstrap/issues/24093	https://github.com/twbs/bootstrap/pull/30562
https://github.com/twbs/bootstrap/issues/24990	https://stackoverflow.com/a/54997118
https://github.com/twbs/bootstrap/issues/12359	https://html.spec.whatwg.org/multipage/#the-fieldset-and-legend-elements
https://github.com/twbs/bootstrap/issues/29712	https://github.com/twbs/bootstrap/issues/18842
https://github.com/twbs/bootstrap/issues/11586.	https://rtlstyling.com/posts/rtl-styling#form-inputs
https://rtlcss.com/learn/usage-guide/control-directives/#raw	https://github.com/twbs/rfs/blob/main/LICENSE
https://github.com/twbs/rfs/issues/14	https://www.w3.org/TR/WCAG20/#visual-audio-contrast-contrast
https://github.com/twbs/bootstrap/issues/18178	https://www.w3.org/TR/mediaqueries-4/#mq-min-max
https://bugs.webkit.org/show_bug.cgi?id=178261	https://github.com/react-bootstrap/react-bootstrap/issues/6039
https://github.com/philipwalton/flexbugs#flexbug-4	https://github.com/twbs/bootstrap/issues/23307
https://bugs.webkit.org/show_bug.cgi?id=198959	https://github.com/twbs/bootstrap/pull/11526.
https://github.com/twbs/bootstrap/issues/11655.	https://github.com/twbs/bootstrap/pull/29124
https://primer.github.io/.	https://github.com/twbs/bootstrap/issues/32636
https://github.com/twbs/bootstrap/issues/28247	https://stackoverflow.com/questions/36247140/why-dont-flex-items-shrink-past-content-size
https://github.com/sass/sass/issues/1873#issuecomment-152293725	https://github.com/twbs/bootstrap/pull/27703
https://github.com/twbs/bootstrap/pull/22740#issuecomment-305868106	https://developer.mozilla.org/en-US/docs/Web/Events/click#Safari_Mobile
https://github.com/twbs/bootstrap/pull/10951.	https://bugs.webkit.org/show_bug.cgi?id=158342
https://github.com/twbs/bootstrap/issues/17695	https://github.com/twbs/bootstrap/issues/24800
https://www.a11yproject.com/posts/2013-01-11-how-to-hide-content/	https://kittygiraudel.com/2016/10/13/css-hide-and-seek/
https://github.com/twbs/bootstrap/issues/25686	https://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1
https://reactjs.org/docs/error-decoder.html?invariant=	http://www.w3.org/1999/xlink
http://www.w3.org/XML/1998/namespace	http://www.w3.org/1999/xhtml
http://www.w3.org/1998/Math/MathML	https://reactjs.org/link/react-polyfills
https://bugs.chromium.org/p/v8/issues/detail?id=4118	https://bugs.chromium.org/p/v8/issues/detail?id=3056
https://bit.ly/CRA-vitals

Raw Manifest

{
  "name": "XHR Request Interceptor",
  "icons": {
    "16": "icon.png",
    "48": "icon.png",
    "128": "icon.png"
  },
  "action": {
    "default_popup": "index.html",
    "default_title": "Edit rules"
  },
  "version": "1.0.0",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Redirect XHR requests and change their headers",
  "permissions": [
    "declarativeNetRequest"
  ],
  "host_permissions": [
    "*://*/*"
  ],
  "manifest_version": 3
}

by ✦ Astarte