Oliver Nassar

Matlock

Matlock is a Browser Extension that detects which Open Source libraries webpages are using


What is Matlock?

Matlock is my first attempt at building an extension (currently for Chrome and Firefox) which detects and lists the Open Source libraries a webpage is using, along with relevant data about those libraries.

At the moment, this is limited to GitHub-hosted libraries, but we do have tests for 1,000+ libraries (and counting).


How do I install Matlock?

  1. Visit our Chrome Web Store or Firefox Add-On page
  2. Click the Add to Chrome or Add to Firefox button
  3. You're done!

What does Matlock look like?

The screenshots below give you a sense for what Matlock looks like (and therefore, how it works):


How does Matlock work?

Matlock works by running a series of tests on each page you navigate to, checking for specific variables, strings, headers, cookies or function responses.

The results of these tests tell Matlock whether a certain library is being used, and in some cases, which version.


Why does Matlock require so many permissions?

Here's a breakdown of each of the permissions Matlock needs, and the reason why:

<all_urls>

This permission allows Matlock to run on each of the pages you browse.

It's the core permission required to test the Matlock breadcrumbs.

cookies

This permission allows Matlock to access the cookies that are saved for the webpages you visit.

It's particularly useful for determining the frameworks that a webpage may possibly be running on.

tabs

This permission is required to load Matlock in each of your open tabs upon installation, without requiring you to reload each tab.

webRequest

This permission allows Matlock to access the headers for webpages you visit.

It's useful for determining Open Source libraries which include programming languages, frameworks, or servers that a webpage may be running on.

This one is important because there are ways where we can artifically determine this by re-requesting the page you're on, and checking those headers. However doing this is risky, and while some other extensions use this approach, this can cause serious security issues (eg. re-submitting requests on poorly designed financial websites).


Breadcrumbs are JavaScript files that Matlock use to determine whether an Open Source library is being used, and if so, which version is being used.

Some breadcrumb examples:


Existential testing

The following approaches are used for determining whether an Open Source library is being used on a page:

Possible improvements:


Version testing

The following approaches are used for determining the (possible) version of an Open Source library that is being used on a page:

Possible improvements


Acknowledgments

Matlock would not be possible without the open source contributions made by the following groups:


Feedback

If you have any feedback, you can reach me at: onassar@gmail.com