fetchext provides a suite of tools for analyzing browser extensions, ranging from basic metadata inspection to deep forensic analysis of source code and behavior.
The risk command calculates a "Privacy Risk Score" based on the permissions requested in the manifest.
fext risk <file>Scoring Logic:
- Critical (10):
<all_urls>,debugger,webRequestBlocking,proxy. - High (7-9):
tabs,history,bookmarks,cookies. - Medium (4-6):
storage,notifications,geolocation. - Low (1-3):
alarms,idle.
Toxic Combinations: The analyzer also looks for dangerous combinations of permissions that amplify risk, such as:
tabs+cookies+<all_urls>(Session Hijacking risk)webRequest+webRequestBlocking(Man-in-the-Middle risk)
The audit command checks the extension's CSP for weak configurations that could allow Cross-Site Scripting (XSS) or code injection.
fext audit <file>Checks:
- Usage of
unsafe-eval(allowseval()). - Usage of
unsafe-inline(allows inline scripts). - Missing
object-srcrestrictions. - overly permissive
connect-src.
High entropy in files often indicates packed, obfuscated, or encrypted code, which is common in malware trying to hide its payload.
fext analyze entropy <file>The tool calculates the Shannon entropy (0-8) for every file in the archive.
- > 7.5: Likely compressed or encrypted.
- > 6.0: Potential obfuscated code (if it's a JS file).
To detect obfuscated code that hasn't been packed, fetchext measures the cyclomatic complexity of JavaScript functions.
fext analyze complexity <file>Obfuscated code often has abnormally high complexity (nested loops, conditionals) or very long single-line functions.
Scan extension files against custom or standard YARA rules to detect known malware signatures.
fext analyze yara /path/to/rules/ <file>You can provide a single .yar file or a directory containing multiple rule files.
The analyze secrets command searches source code for accidentally committed credentials.
fext analyze secrets <file>Detects:
- AWS Access Keys
- Google API Keys
- Slack Tokens
- Stripe Keys
- Generic high-entropy strings resembling keys.
To understand where an extension is sending data, use the domain extractor. It parses JavaScript, HTML, CSS, and JSON files to find all URLs and domains.
fext analyze domains <file>This is useful for identifying tracking endpoints, C2 servers, or external dependencies.
Analyze WebAssembly (.wasm) modules to extract metadata, imports, and exports.
fext analyze wasm <file.wasm>Features:
- Parses WASM binary header and sections.
- Lists imported functions and modules.
- Lists exported functions (entry points).
- Identifies custom sections (e.g., debug names).
Generate a frequency map of Chrome/Browser API calls to identify high-risk areas.
fext analyze api-usage <file>Features:
- Scans JavaScript and HTML files.
- Detects
chrome.*andbrowser.*API calls. - Outputs total calls, unique APIs, and per-file usage.
The timeline command visualizes the modification dates of files within the archive.
fext timeline <file>Forensic Use:
- Identify files modified after the official build time.
- Detect "timestomping" (if dates are impossibly old or future).
- See the development cadence.
Generate a visual graph of internal file dependencies (imports, requires, script tags).
fext graph <file>This produces a DOT file that can be rendered with Graphviz to visualize the architecture of the extension.
The locales command inspects the _locales directory to identify supported languages and message counts.
fext locales <file>Analysis:
- Identifies the
default_localespecified in the manifest. - Lists all supported locale codes (e.g.,
en_US,fr,es). - Counts the number of translation messages for each locale, helping to identify incomplete translations.