In the same vein as the IE specific res:// URLs that can help you detect Internet Explorer, I’ve taken that detection one step further in Firefox. After discovering the issue with IETab where a user can be maliciously forced into the Internet Explorer rendering engine it got me thinking about ways to even detect that that is possible. How do you know your target is running what, and how to do you take advantage of that information. Taking advantage of it is a huge ball of wax and it completely depends on the browser plugin in question. In this case, the IETabs issue was pretty straight forward, but others may not be so straight forward, and will take a lot more time to analyze (by probably many more people than me alone).
But while messing around with WebDeveloper’s DOM “generated source” utility I happend upon one of my plugins’ information being written into the DOM. In tracking down the chrome element, I realized that it too has a similar issue to Internet Explorer where items can be mapped if they are registered. Specifically, images of all things. Now the naming convention isn’t standard, so you can’t just write one that works for everything but I took the time to map out each of the ones I could find so you wouldn’t have to dig.
Knowing what your target has installed is both a way to fingerprint the user as well as a way to bypass whatever security settings they may have (knowing what they have installed can help you figure out ways around it, or use it to your advantage as we saw with IEView). I’ve always thought the plugins would be Firefox’s major security flaw. Looks like we’re getting closer to proving that fact.