From d652d9bc95de7e351c7ad12db45c04c32c6c51a4 Mon Sep 17 00:00:00 2001 From: Thom Espach Date: Wed, 20 Nov 2024 11:45:15 +0000 Subject: [PATCH] Add address bar spoofing test (#243) * Add address bar spoofing test --- security/address-bar-spoofing/index.html | 1 + .../address-bar-spoofing/server/routes.js | 7 ++- .../spoof-new-window.html | 45 +++++++++++++++++++ server.js | 6 --- 4 files changed, 52 insertions(+), 7 deletions(-) create mode 100644 security/address-bar-spoofing/spoof-new-window.html diff --git a/security/address-bar-spoofing/index.html b/security/address-bar-spoofing/index.html index c85c9c6..ce021c2 100644 --- a/security/address-bar-spoofing/index.html +++ b/security/address-bar-spoofing/index.html @@ -19,6 +19,7 @@

Address Bar Spoofing Pages

  • Base64 HTML Loading Spoof
  • Unsupported URL Scheme Spoof
  • Long Loading Request Rewrite
  • +
  • New Window Rewrite
  • diff --git a/security/address-bar-spoofing/server/routes.js b/security/address-bar-spoofing/server/routes.js index 0af2166..8a393a2 100644 --- a/security/address-bar-spoofing/server/routes.js +++ b/security/address-bar-spoofing/server/routes.js @@ -3,8 +3,13 @@ const router = express.Router(); // Returns a 301 redirect to a download link of our browser // for use in the download path test -router.get('/', (req, res) => { +router.get('/download-redirect', (req, res) => { res.redirect(301, 'https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg'); }); +// Returns a 204 no content +router.get('/no-content', (req, res) => { + res.status(204).send(); +}); + module.exports = router; diff --git a/security/address-bar-spoofing/spoof-new-window.html b/security/address-bar-spoofing/spoof-new-window.html new file mode 100644 index 0000000..b5b771c --- /dev/null +++ b/security/address-bar-spoofing/spoof-new-window.html @@ -0,0 +1,45 @@ + + + + + + + URL Spoofing - New Window Rewrite + + + + +

    [Back]

    + + This test will try to confuse the browser to show the wrong domain in the URL bar by opening a new window + and then rewriting the location of the new window from the parent. The new window will show a message that + the address bar has been spoofed. Tap "New Window", then return to this tab, and tap "Spoof" to see the + address bar change to "https://broken.third-party.site". If it doesn't show as such, the browser is not + vulnerable to this attack. Note: this won't work if run from broken.third-party.site. Ensure it is run from + another origin such as https://privacy-test-pages.site. + + + + + + + \ No newline at end of file diff --git a/server.js b/server.js index 90e495a..0d883d9 100644 --- a/server.js +++ b/server.js @@ -255,12 +255,6 @@ app.get('/redirect', (req, res) => { res.end(); }); -// Returns a 301 redirect to a download link of our browser -// for use in the address bar spoofing test -app.get('/security/address-bar-spoofing/download-redirect', (req, res) => { - res.redirect(301, 'https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg'); -}); - app.use('/content-scope-scripts/', express.static('node_modules/@duckduckgo/content-scope-scripts/integration-test/test-pages/')); const blockingRoutes = require('./privacy-protections/request-blocking/server/routes');