Risk Engine API
Perform comprehensive security analysis on browser extensions using the Extension Auditor Risk Engine.
The Risk Engine API provides comprehensive security analysis for browser extensions. Analyze individual extensions or perform bulk analysis to identify security risks, suspicious patterns, and potential threats.
Overview
The Risk Engine evaluates extensions across multiple security dimensions:
- Permission Analysis: Evaluates requested permissions against known risk patterns
- Manifest Inspection: Detects suspicious configurations and settings
- Publisher Reputation: Cross-references publisher history and behavior
- Code Patterns: Identifies potentially malicious code patterns
- PermHash Clustering: Compares against known malicious permission combinations
Risk Scores and Levels
| Risk Level | Score Range | Description |
|---|---|---|
low | 0-25 | Minimal security concerns |
medium | 26-50 | Some concerning patterns, review recommended |
high | 51-75 | Significant security risks identified |
critical | 76-100 | Immediate security threat, likely malicious |
Trigger Extension Analysis
Queue a security analysis for a specific extension version.
POST /api/v1/extensions/{extensionId}/versions/{version}/analysis
Request Body
{
"extensionId": "blemhmgimpnomifkjoinlelbmgoljddm",
"version": "3.14.2",
"priority": "high"
}
| Field | Type | Default | Description |
|---|---|---|---|
extensionId | string | required | Extension ID to analyze |
version | string | required | Specific version to analyze |
priority | string | high | Queue priority: low, normal, high |
Example Request
curl -X POST "https://extensionauditor.com/api/v1/extensions/blemhmgimpnomifkjoinlelbmgoljddm/versions/3.14.2/analysis" \
-H "Cookie: session=your_session_cookie" \
-H "Content-Type: application/json" \
-d '{"extensionId": "blemhmgimpnomifkjoinlelbmgoljddm", "version": "3.14.2", "priority": "high"}'
Response: Analysis Queued
{
"success": true,
"data": {
"message": "Risk analysis triggered successfully",
"status": "processing",
"messageId": "analysis-job-uuid"
}
}
Response: Analysis Already Exists
{
"success": true,
"data": {
"message": "Security analysis already exists",
"status": "completed",
"report": {
"risk_score": 35,
"risk_level": "medium",
"analyzed_at": "2024-01-15T10:30:00Z",
"findings": [...]
}
}
}
Bulk Analysis
Analyze multiple extensions in a single request.
POST /api/v1/risk-engine/bulk-analysis
Request Body
{
"extension_ids": [
"blemhmgimpnomifkjoinlelbmgoljddm",
"abcdefghijklmnopqrstuvwxyz123456",
"zyxwvutsrqponmlkjihgfedcba654321"
],
"include_signals": true,
"confidence_threshold": 0.7
}
| Field | Type | Default | Description |
|---|---|---|---|
extension_ids | array | required | List of extension IDs (max 100) |
include_signals | boolean | true | Include detailed signal information |
confidence_threshold | number | 0 | Minimum confidence for signals (0-1) |
Example Request
curl -X POST "https://extensionauditor.com/api/v1/risk-engine/bulk-analysis" \
-H "Cookie: session=your_session_cookie" \
-H "Content-Type: application/json" \
-d '{
"extension_ids": ["ext1", "ext2", "ext3"],
"include_signals": true,
"confidence_threshold": 0.8
}'
Example Response
{
"success": true,
"data": {
"results": [
{
"extension_id": "blemhmgimpnomifkjoinlelbmgoljddm",
"classification": "clean",
"risk_score": 15,
"risk_level": "low",
"signals": [
{
"category": "permissions",
"signal": "standard_permissions",
"confidence": 0.95,
"description": "Extension requests only standard permissions"
}
]
},
{
"extension_id": "abcdefghijklmnopqrstuvwxyz123456",
"classification": "suspicious",
"risk_score": 62,
"risk_level": "high",
"signals": [
{
"category": "permissions",
"signal": "broad_host_permissions",
"confidence": 0.90,
"description": "Requests access to all URLs"
},
{
"category": "behavior",
"signal": "obfuscated_code",
"confidence": 0.85,
"description": "Contains obfuscated JavaScript"
}
]
}
],
"total_processed": 3,
"total_malicious": 0,
"total_suspicious": 1,
"processing_time_ms": 1250,
"errors": [
{
"extension_id": "zyxwvutsrqponmlkjihgfedcba654321",
"error": "Extension not found"
}
]
}
}
Security Report Structure
{
"risk_score": 45,
"risk_level": "medium",
"classification": "suspicious",
"analyzed_at": "2024-01-15T10:30:00Z",
"manifest_version": 3,
"findings": [
{
"id": "finding-uuid",
"category": "permissions",
"severity": "medium",
"title": "Broad Host Permissions",
"description": "Extension requests access to all URLs (<all_urls>)",
"recommendation": "Review if the extension truly needs access to all websites",
"cwe_id": "CWE-250"
}
],
"permissions_analysis": {
"total_permissions": 8,
"high_risk_permissions": 2,
"host_permissions_scope": "all_urls",
"dangerous_combinations": [
{
"permissions": ["webRequest", "webRequestBlocking", "<all_urls>"],
"risk": "Can intercept and modify all web traffic"
}
]
},
"manifest_analysis": {
"background_type": "service_worker",
"content_scripts_count": 3,
"uses_remote_code": false,
"web_accessible_resources": true
},
"publisher_analysis": {
"publisher_risk_level": "low",
"is_verified": true,
"total_extensions": 5,
"malicious_history": false
}
}
Finding Categories
| Category | Description |
|---|---|
permissions | Permission-related risks |
manifest | Manifest configuration issues |
code | Suspicious code patterns |
network | Network access concerns |
privacy | Data privacy risks |
publisher | Publisher reputation issues |
behavior | Suspicious runtime behavior |
Severity Levels
| Severity | Description | Examples |
|---|---|---|
info | Informational | Standard permissions, common patterns |
low | Minor concern | Slightly broad permissions |
medium | Moderate risk | Broad host permissions, unusual patterns |
high | Significant risk | Dangerous permission combinations |
critical | Immediate threat | Known malicious patterns, active threats |
Webhook-Triggered Analysis
For automated workflows, trigger analysis via webhook.
POST /api/v1/risk-engine/webhook/analyze
Request Headers
| Header | Description |
|---|---|
X-Webhook-Secret | Your webhook secret for authentication |
Request Body
{
"extension_id": "blemhmgimpnomifkjoinlelbmgoljddm",
"version": "3.14.2",
"callback_url": "https://your-server.com/analysis-complete"
}
Response
{
"success": true,
"data": {
"analysis_id": "analysis-job-uuid",
"status": "queued"
}
}
When analysis completes, a callback will be sent to your URL:
{
"analysis_id": "analysis-job-uuid",
"extension_id": "blemhmgimpnomifkjoinlelbmgoljddm",
"version": "3.14.2",
"status": "completed",
"report": { ... }
}
Integration Examples
CI/CD Pipeline Check
#!/bin/bash
# Check extensions before deployment
EXTENSIONS=("ext1" "ext2" "ext3")
response=$(curl -s -X POST "https://extensionauditor.com/api/v1/risk-engine/bulk-analysis" \
-H "Cookie: session=$SESSION_COOKIE" \
-H "Content-Type: application/json" \
-d "{\"extension_ids\": $(printf '%s\n' "${EXTENSIONS[@]}" | jq -R . | jq -s .)}")
# Check for high-risk extensions
high_risk=$(echo $response | jq '.data.results | map(select(.risk_level == "high" or .risk_level == "critical")) | length')
if [ "$high_risk" -gt 0 ]; then
echo "High-risk extensions detected!"
exit 1
fi
echo "All extensions passed security check"
Python Security Scanner
import requests
def analyze_extensions(extension_ids, session_cookie):
response = requests.post(
'https://extensionauditor.com/api/v1/risk-engine/bulk-analysis',
cookies={'session': session_cookie},
json={
'extension_ids': extension_ids,
'include_signals': True,
'confidence_threshold': 0.8
}
)
data = response.json()
# Flag high-risk extensions
for result in data['data']['results']:
if result['risk_level'] in ['high', 'critical']:
print(f"WARNING: {result['extension_id']} is {result['risk_level']} risk")
for signal in result['signals']:
print(f" - {signal['description']}")
return data
# Usage
extensions = ['ext1', 'ext2', 'ext3']
results = analyze_extensions(extensions, 'your-session-cookie')
Error Responses
| Status Code | Description |
|---|---|
| 400 | Invalid request parameters |
| 401 | Authentication required |
| 404 | Extension version not found |
| 413 | Too many extensions (max 100) |
| 429 | Rate limit exceeded |
| 500 | Internal server error |
| 503 | Analysis service unavailable |
Rate Limits
| Operation | Limit |
|---|---|
| Single analysis | 20/min |
| Bulk analysis | 5/min |
| Webhook triggers | 10/min |
Next Steps
- Extensions API - Query extension data
- PermHash API - Permission pattern analysis
- Monitors API - Set up continuous monitoring