PermHash API

The PermHash API enables permission pattern analysis for threat hunting and similarity detection. PermHash is a SHA-256 hash of an extension's permission set, allowing you to identify extensions with identical permission patterns.

What is PermHash?

PermHash (Permission Hash) creates a unique fingerprint of an extension's requested permissions:

1. Extract all permissions from the manifest
2. Normalize and sort them alphabetically
3. Generate a SHA-256 hash of the sorted permission list

Extensions with identical permission sets share the same PermHash, even if they have different names or publishers.

Use Cases

• Threat Hunting: Find extensions with the same permissions as known malware
• Similarity Analysis: Discover potentially related extensions
• Risk Assessment: Identify risky permission patterns
• Clone Detection: Find extensions that may be clones or copies

Get Extensions by PermHash

Retrieve all extensions that share a specific PermHash.

GET /api/v1/permhash/{permhash}

Path Parameters

Query Parameters

Example Request

curl -X GET "https://extensionauditor.com/api/v1/permhash/a1b2c3d4e5f6789012345678901234567890123456789012345678901234abcd" \
  -H "Cookie: session=your_session_cookie"

Example Response

{
  "success": true,
  "result": [
    {
      "extension_id": "blemhmgimpnomifkjoinlelbmgoljddm",
      "name": "Example Extension 1",
      "version": "2.1.0",
      "user_count": 500000,
      "rating_value": 4.5,
      "is_trusted_publisher": true,
      "by_google": false,
      "status": "active",
      "last_update": "2024-01-15"
    },
    {
      "extension_id": "abcdefghijklmnopqrstuvwxyz123456",
      "name": "Example Extension 2",
      "version": "1.0.5",
      "user_count": 10000,
      "rating_value": 3.2,
      "is_trusted_publisher": false,
      "by_google": false,
      "status": "active",
      "last_update": "2024-01-10"
    }
  ],
  "page": 1,
  "page_size": 50,
  "total_count": 12,
  "total_pages": 1
}

Get Extension Cluster

Retrieve the PermHash cluster for a specific extension.

GET /api/v1/permhash/cluster/{extensionId}

Path Parameters

Example Request

curl -X GET "https://extensionauditor.com/api/v1/permhash/cluster/blemhmgimpnomifkjoinlelbmgoljddm" \
  -H "Cookie: session=your_session_cookie"

Example Response

{
  "success": true,
  "data": {
    "extension_id": "blemhmgimpnomifkjoinlelbmgoljddm",
    "permhash": "a1b2c3d4e5f6789012345678901234567890123456789012345678901234abcd",
    "permissions": [
      "activeTab",
      "storage",
      "tabs",
      "webRequest",
      "webRequestBlocking"
    ],
    "cluster_size": 12,
    "cluster_total_users": 1500000,
    "similar_extensions": [
      {
        "extension_id": "abcdefghijklmnopqrstuvwxyz123456",
        "name": "Similar Extension",
        "user_count": 100000,
        "rating_value": 4.2
      }
    ]
  }
}

Get Risky Permission Clusters

Retrieve clusters with high-risk permission patterns.

GET /api/v1/permhash/clusters/risky

Query Parameters

Example Request

curl -X GET "https://extensionauditor.com/api/v1/permhash/clusters/risky?risk_level=high&min_extensions=5" \
  -H "Cookie: session=your_session_cookie"

Example Response

{
  "success": true,
  "result": [
    {
      "permhash": "dangerous123...",
      "risk_level": "high",
      "risk_reasons": [
        "Requests all_urls access",
        "Combines webRequest with cookies",
        "Background script with broad permissions"
      ],
      "permissions": [
        "<all_urls>",
        "cookies",
        "webRequest",
        "webRequestBlocking"
      ],
      "extension_count": 8,
      "total_users": 250000,
      "known_malicious": 2,
      "sample_extensions": [
        {
          "extension_id": "xyz...",
          "name": "Suspicious Tool",
          "user_count": 50000,
          "is_trusted_publisher": false
        }
      ]
    }
  ],
  "page": 1,
  "page_size": 25,
  "total_count": 45,
  "total_pages": 2
}

High-Risk Permission Patterns

The following permission combinations are considered high-risk:

Threat Hunting Workflow

1. Analyze a Known Malicious Extension

# Get the PermHash cluster for a known malicious extension
curl -X GET "https://extensionauditor.com/api/v1/permhash/cluster/malicious-extension-id" \
  -H "Cookie: session=your_session_cookie"

2. Find All Extensions with Same Permissions

# Use the PermHash to find similar extensions
curl -X GET "https://extensionauditor.com/api/v1/permhash/{permhash}" \
  -H "Cookie: session=your_session_cookie"

3. Investigate Each Extension

# Get details on suspicious extensions
curl -X GET "https://extensionauditor.com/api/v1/extensions/{extensionId}" \
  -H "Cookie: session=your_session_cookie"

PermHash Format

Valid PermHash format:

• 64 hexadecimal characters (SHA-256)
• Case-insensitive
• Example: a1b2c3d4e5f6789012345678901234567890123456789012345678901234abcd

Invalid formats will return a 400 error:

{
  "success": false,
  "error": "Invalid PermHash format. Must be a 64-character hexadecimal string"
}

Error Responses

Best Practices

1. Start with known threats: Begin investigations with known malicious extensions
2. Consider context: Same permissions don't mean same behavior
3. Check publisher reputation: Cross-reference with publisher data
4. Monitor clusters: Set up alerts for changes in risky clusters
5. Combine with analysis: Use the Risk Engine for deeper analysis

Next Steps

• Extensions API - Query extension data
• Publishers API - Check publisher reputation
• Risk Engine - Perform security analysis