• Stars
    star
    143
  • Rank 257,007 (Top 6 %)
  • Language
    HTML
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Trickuri

Manual tests for URL Spoofing scenarios

This tool is designed to allow testing of applications' display of URLs.

Background

URLs are often the only source of identity information available when making security decisions in a web browser or other context, but URL syntax is complicated and subject to a wide variety of spoofing attacks. The Chromium project maintains a set of URL display guidelines that covers best practices and pitfalls of URL display. Trickuri allows easy exercise of common sources of spoofing vulnerabilities to ensure applications are robust in their display of URLs.

Implementation

Trickuri is configured as a proxy server for the client application under test. All of the client's HTTP requests are sent to the proxy. The proxy returns HTML content such that the behavior of the client application can be tested. For instance, for Chrome itself, the tester can examine the content of the omnibox to verify that the origin is visible and unambiguously identified to the user.

Testcases

Files in the testcases folder will be served as if they were served from any URL, i.e. with the proxy running, visiting example.com/samplepathtest will serve testcases/samplepathtest. Additional test cases can be added to the testcases folder.

Running

To run Trickuri, run go run trickuri.go in the source directory.

Proxy configuration

The proxy may be configured in one of two ways:

  1. As a "static proxy", running on port 1270 (by default) of the machine running the proxy.
  2. As an "autoconfigured proxy" where the client pulls http://<IP/hostname of computer running Trickuri>:1270/proxy.pac as the proxy determination script.

The advantage of the latter configuration is that it allows the proxy to specify that it should be bypassed for certain URLs, e.g. those used by SafeBrowsing, component updates, etc. Such bypasses help limit the impact of the proxy on the system under test.

See https://www.chromium.org/developers/design-documents/network-settings for instructions on configuring proxy settings if you are testing Chrome with Trickuri.

Certificate configuration

In order for the tool to be able to intercept HTTPS requests, its root certificate needs to be trusted by the application being tested. If you are testing Chrome, this means that you should import the Trickuri root certificate into your OS trust store. The root certificate can be downloaded from http://localhost:1270/root.cer once Trickuri is running.

Flags

-p Sets the port in which the tool will listen, defaults to 1270.

-h Sets the port for the https server, defaults to 8443.

-d Sets the directory for certificate storage, defaults to ~/.config/trickuri

-t Sets the directory for index.html file and web-feature-tests, defaults to ./

More Repositories

1

chromium

The official GitHub mirror of the Chromium source
15,034
star
2

badssl.com

πŸ”’ Memorable site for testing clients against bad SSL configs.
HTML
2,807
star
3

-archived-chromium

Old and archived, see https://github.com/chromium/chromium instead.
1,721
star
4

permission.site

A site to test the interaction of web APIs and browser permissions.
JavaScript
1,180
star
5

hstspreload.org

πŸ”’ Chromium's HSTS preload list submission website.
Go
775
star
6

dom-distiller

Distills the DOM
Java
607
star
7

ballista

An interoperability system for the modern web.
JavaScript
537
star
8

crashpad

A crash-reporting system
C++
416
star
9

hterm

MOVED: Please use the new libapps repo on chromium.googlesource.com instead
JavaScript
338
star
10

vs-chromium

A Visual Studio extension containing a collection of tools to help contributing code to the Chromium project.
C#
279
star
11

pdfium

The PDF library used by the Chromium project
C++
254
star
12

mini_chromium

A small collection of useful low-level (β€œbase”) routines from Chromium
C++
249
star
13

web-page-replay

DEPRECATED - Use WebPageReplayGo instead:
Python
233
star
14

octane

The JavaScript Benchmark Suite for the modern web
JavaScript
178
star
15

hstspreload

πŸ”’πŸ” A Go package to scan sites against requirements for Chromium-maintained HSTS preload list.
Go
114
star
16

suspicious-site-reporter

Extension for reporting suspicious sites to Safe Browsing.
JavaScript
89
star
17

subspace

A concept-centered standard library for C++20, enabling safer and more reliable products and a more modern feel for C++ code.; Also home of Subdoc the code-documentation generator.
C++
88
star
18

gyp

GYP is a Meta-Build system: a build system that generates other build systems.
Python
75
star
19

caterpillar

Project to investigate porting Chrome Apps to websites.
Python
56
star
20

axiom

Axiom Project
JavaScript
51
star
21

vim-codesearch

Vim integration for Chromium Codesearch at https://cs.chromium.org
Python
39
star
22

crsym

Go
34
star
23

mus-preso

Public mus presentations
JavaScript
33
star
24

chromium-ads-detection

28
star
25

content_analysis_sdk

This repository contains the SDK that DLP agents may use to become service providers for the Google Chrome Content Analysis Connector.
C++
24
star
26

codesearch-py

Python library for accessing Chromium CodeSearch via https://cs.chromium.org
Python
23
star
27

auto-zoom

Automatically zoom web pages based on their content
JavaScript
21
star
28

blink-intent-tracker

A service to automatically track blink-dev intents.
Python
20
star
29

dom-distiller-dist

Distribution packages for DOM Distiller (https://github.com/chromium/dom-distiller).
JavaScript
19
star
30

permissions.request

A polyfill for the navigator.permissions.request() API
TypeScript
14
star
31

requestautocomplete-magento-extension

Magento extension for requestAutocomplete
JavaScript
14
star
32

ozone-client

Example external ozone platform implementation offering RFB access to an ozone content shell.
Python
10
star
33

ACDC4GC

JavaScript
9
star
34

eclipse-gn

GN meta-build language support for the Eclipse IDE
Java
6
star