Plug and Prey: Scanning and Scoring Browser Extensions
Recon Village @ DEF CON 33 • 8th, 9th and 10th August 2025
Abstract
Browser extensions are an unmonitored threat surface in most enterprises. Security teams have tools for endpoints, networks, and identities, but the browser is often left out. Extensions can access sensitive data, run arbitrary scripts, and update silently. Most organizations have no idea what's installed across their fleet.
This talk introduces ExtHuntr, an open source tool that scans for installed browser extensions, analyzes their permissions and behavior, and generates a risk score. It gives defenders visibility where they currently have none.
We will walk through how extensions are abused in the wild, how even well-known plugins can turn malicious, and why relying on store reputation is not enough. The talk includes:
A live demo of ExtHuntr
Breakdown of extension permission abuse
Risk scoring logic
Fleet-wide deployment strategies for enterprise use
Attackers already know what your users are running. This talk shows how you can know first.
Speakers
Head of Cybersecurity Research, SquareX
Nishant Sharma is a seasoned cybersecurity professional with deep expertise in cloud security, DevSecOps, and hands-on technical training. He is currently working as Head of Cybersecurity Research at SquareX (sqrx.com). He was in Cybersecurity education for 10+ years during which he served as VP Labs R&D at INE.com, headed R&D at Pentester Academy, developing thousands of host, networking and cloud security labs on AWS, GCP and Azure infrastructure. These labs were used by learners in 125+ countries. A frequent presenter at DEF CON, Black Hat, and OWASP events, and trainer/speaker/author to 10+ trainings, 15+ talks and 9+ open source tools. More can be found on his personal website: https://nishantsharmax.com/
View full speaker profile →
Principal Software Engineer, SquareX
Shourya Pratap Singh is responsible for building SquareX's security-focused extension and works on researching methods to counteract web security risks. As an upcoming figure in cybersecurity, Shourya has delivered several workshops at prestigious events such as the Texas Cyber Summit and shared his innovative offensive security research at Blackhat Arsenal EU. He earned his bachelor's degree from IIIT Bhubaneswar and is a patent holder. Shourya’s professional passions are centered around enhancing the security of browser extensions and web applications.
View full speaker profile →