DVBE - Damn Vulnerable Browser Extension

Presented at DEF CON 33 (2025), Aug. 9, 2025, 11 a.m. (45 minutes).

In the continuously evolving world of browser extensions, security remains a big concern. As the demand of feature-rich extensions increases, priority is given to functionality over robustness, which makes way for vulnerabilities that can be exploited by malicious actors. The danger increases even more for organizations handling sensitive data like banking details, PII, confidential org reports, etc. Damn Vulnerable Browser Extension (DVBE) is an open-source vulnerable browser extension, designed to shed light on the importance of writing secure browser extensions and to educate developers and security professionals about the vulnerabilities and misconfigurations that are found in browser extensions, how they are found, and how they impact business. This built-to-be-vulnerable extension can be used to learn, train, and exploit browser extension-related vulnerabilities.

Presenters:

• Abhinav Khanna
  Abhinav is an information security professional with 6+ years of experience. Having worked at organisations like S&P Global and NotSoSecure, his area of expertise lies in web appsec, mobile appsec, API security, and browser extension security. He has spoken at multiple conferences like Black Hat Asia, Black Hat Europe, and Black Hat MEA. In his free time, he likes playing table tennis.

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / Offensive Browser Extension Development
• Black Hat Asia 2016 / Automated Detection of Firefox Extension-Reuse Vulnerabilities
• DEF CON 29 (2021) / Extension-Land: exploits and rootkits in your browser extensions