Add extra phishing detection test pages (#217)

* Add extra phishing detection test pages

* Add meta refresh and URL tampering test cases.

* Add URL capitalization tampering case

* Add form submission, iframe top navigator and service worker test cases.

index.html

@@ -61,8 +61,8 @@ <h2>Security</h2>
 	<li><a href="./security/dos-reload.html">Infinite location.reload() loop</a></li>
 	<li><a href="./security/csp-report/index.html">Leak of extension IDs via CSP</a></li>
 	<li><a href="./security/js-leaks.html">Detect changes to JS objects in global scope</a></li>
-	<li><a href="./security/badware/phishing.html">An example phishing page</a></li>
 	<li><a href="./security/popups/popup-launcher.html">Popup noopener/noreferrer tests</a></li>
+	<li><a href="./security/badware/">Phishing Detection Pages</a></li>
 </ul>
 
 <h2>Privacy Protections Tests</h2>

security/badware/index.html

@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="UTF-8">
+    <title>Test Pages - Phishing Detection</title>
+</head>
+
+<body>
+    <h1>Phishing Detection Test Pages</h1>
+    <a href="/">[Home]</a>
+    <ul>
+        <li><a href="./phishing.html">Standard Phishing Test</a></li>
+        <li><a href="./phishing-iframe-loader.html">Phishing iFrame Loader</a></li>
+        <li><a href="./phishing-js-redirector-helper.html">Phishing JS Redirector (Direct)</a></li>
+        <li><a href="./phishing-js-redirector.html">Phishing JS Redirector (Indirect)</a></li>
+        <li><a href="./phishing-legit-iframe-loader.html">Phishing Legit iFrame Loader</a></li>
+        <li><a href="./phishing-meta-redirect-clean.html">Phishing Redirect via Meta Refresh (Not Flagged in Dataset)</a></li>
+        <li><a href="./phishing-meta-redirect.html">Phishing Redirect via Meta Refresh (Flagged in Dataset)</a></li>
+        <li><a href="./phishing-popups.html">Phishing Open via Popups</a></li>
+        <li><a href="./phishing-url-tampering.html">Phishing Opening with URL Tampering</a></li>
+        <li><a href="./phishing-form-submission.html">Phishing Form Submission</a></li>
+        <li><a href="./phishing-iframe-top-navigator.html">Phishing iFrame Top Navigator</a></li>
+        <li><a href="./phishing-service-worker.html">Phishing Service Worker</a></li>
+        <li><a href="./phishing-iframe-top-navigator-parent.html">Phishing iFrame Top Navigator Parent</a></li>
+        <li><a href="/security/badware/phishing-redirect/">HTTP 301 Redirect to Main Phishing Test Page</a></li>
+        <li><a href="/security/badware/phishing-redirect/302">HTTP 302 Redirect to Main Phishing Test Page</a></li>
+        <li><a href="/security/badware/phishing-redirect/js">HTTP Redirect to Phishing JS Redirector (Indirect)</a></li>
+        <li><a href="/security/badware/phishing-redirect/js2">HTTP Redirect to Phishing JS Redirector (Direct)</a></li>
+        <li><a href="/security/badware/phishing-redirect/iframe">HTTP Redirect to Phishing iFrame Loader</a></li>
+        <li><a href="/security/badware/phishing-redirect/iframe2">HTTP Redirect to Phishing Legit iFrame Loader</a></li>
+        <li><a href="/security/badware/phishing-redirect/meta">HTTP Redirect to Clean Meta Refresh Redirector</a></li>
+        <li><a href="/security/badware/phishing-redirect/meta2">HTTP Redirect to Flagged Meta Refresh Redirector</a></li>
+
+    </ul>
+</body>
+
+</html>

security/badware/phishing-form-submission.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <title>Phishing Form Submission</title>
+</head>
+
+<body>
+    <p><a href="./index.html">[Back]</a></p>
+
+    <h1>Phishing Page Form Submission</h1>
+
+    <p>This is an example page that, although it is not in our phishing dataset, it submits a form to an endpoint that is in our phishing dataset. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our
+        client blocking is working.</p>
+    <form method="post" action="/security/badware/phishing-redirect/form">
+        <input type="hidden" name="phishing" value="true">
+        <input type="submit" value="Submit">
+    </form>
+</body>
+
+</html>

security/badware/phishing-iframe-loader.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing page loaded in iframe</title>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page iFrame Loader</h1>
+
+<p>This is an example page that, although it is not in our phishing dataset, it loads a test phishing page in an iframe. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is working.</p>
+<iframe src="https://bad.third-party.site/security/badware/phishing.html" width="100%" height="500" title="Phishing Page"></iframe>
+</body>
+</html>

security/badware/phishing-iframe-top-navigator-parent.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing Page iFrame Top Navigator</title>
+    <script>
+        if (window.top !== window.self) {
+            window.top.location.href = "https://bad.third-party.site/security/badware/phishing.html";
+        }
+    </script>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page iFrame Top Navigator Parent</h1>
+
+<p>This is an example page that, although it is not in our phishing dataset, it loads an iframe that performs a top-navigation to a phishing page. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is working.</p>
+<iframe src="https://bad.third-party.site/security/badware/phishing-iframe-top-navigator.html" width="100%" height="500" title="Phishing Page"></iframe>
+</body>
+</html>

security/badware/phishing-iframe-top-navigator.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing Page iFrame Top Navigator</title>
+    <script>
+        if (window.top !== window.self) {
+            window.top.location.href = "https://bad.third-party.site/security/badware/phishing.html";
+        }
+    </script>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page iFrame Top Navigator</h1>
+
+<p>This is an example page that, although it is not in our phishing dataset, when iframed, it performs a top-navigation to a phishing page. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is working.</p>
+
+</body>
+</html>

security/badware/phishing-js-redirector-helper.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing page with JS redirect loop - helper page</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        window.location = '/security/badware/phishing.html';
+    </script>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page JS Redirects (Direct)</h1>
+
+<p>This is a helper page that is used to redirect to a page that should be classified as phishing. This page itself should not be classified as phishing in our datasets, but since it redirects to a page that is, the error page should still be shown. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is
+working.</p>
+</body>
+</html>

security/badware/phishing-js-redirector.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing page with JS redirect loop</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        window.location = '/security/badware/phishing-js-redirector-helper.html';
+    </script>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page JS Redirects (Indirect)</h1>
+
+<p>This is an example phishing page that attempts to load legitimate iframes to trick the browser into incorrectly classifying the page as legitimate when it should be classed as malware. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is
+working.</p>
+</body>
+</html>

security/badware/phishing-legit-iframe-loader.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing page loaded in iframe</title>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page - iFrame Spoofing</h1>
+
+<p>This is an example phishing page that attempts to load legitimate iframes to trick the browser into incorrectly classifying the page as legitimate when it should be classified as phishing. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is
+working.</p>
+<iframe src="/" width="100%" height="500" title="Phishing Page"></iframe>
+<iframe src="about:blank" width="100%" height="500" title="Phishing Page"></iframe>
+</body>
+</html>

security/badware/phishing-meta-redirect-clean.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="refresh" content="0;url=/security/badware/phishing.html">
+    <title>Phishing page</title>
+</head>
+
+<body>
+    <p><a href="./index.html">[Back]</a></p>
+
+    <h1>Phishing Redirect via Meta Refresh</h1>
+
+    <p>This is an example page that loads a phishing page via a meta refresh to test how the browser responds. If you arrive here by mistake; there's
+        nothing to worry about, we just use this page to test if our client blocking is working.</p>
+
+</body>
+
+</html>

security/badware/phishing-meta-redirect.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="refresh" content="0;url=/security/badware/phishing.html">
+    <title>Phishing page</title>
+</head>
+
+<body>
+    <p><a href="./index.html">[Back]</a></p>
+
+    <h1>Phishing Redirect via Meta Refresh</h1>
+
+    <p>This is an example page that loads a phishing page via a meta refresh to test how the browser responds. If you arrive here by mistake; there's
+        nothing to worry about, we just use this page to test if our client blocking is working.</p>
+
+</body>
+
+</html>

security/badware/phishing-popups.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <title>Phishing Page via Popups</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        function openPopup(target) {
+            window.open('/security/badware/phishing.html', target);
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="./index.html">[Back]</a></p>
+
+    <h1>Phishing Page Opener via Popups</h1>
+
+    <p>This is an example page that opens phishing pages via various pop-ups with different target types to test the in-browser phishing detection blocking. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is
+    working.</p>
+
+    <h2>Test Popups</h2>
+    <button onclick="openPopup('_blank')">Open Phishing Popup (_blank)</button>
+    <button onclick="openPopup('_self')">Open Phishing Popup (_self)</button>
+    <button onclick="openPopup('_parent')">Open Phishing Popup (_parent)</button>
+    <button onclick="openPopup('_top')">Open Phishing Popup (_top)</button>
+    <button onclick="openPopup('')">Open Phishing Popup (no target)</button>
+    <button onclick="openPopup('invalid')">Open Phishing Popup (invalid target)</button>
+</body>
+
+</html>

security/badware/phishing-service-worker.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <title>Phishing Page Service Worker</title>
+    <script>
+        if ('serviceWorker' in navigator) {
+            window.addEventListener('load', () => {
+                navigator.serviceWorker.register('/security/badware/service-worker.js')
+                    .then(registration => {
+                        console.log('Service Worker registered with scope:', registration.scope);
+                    })
+                    .catch(error => {
+                        console.error('Service Worker registration failed:', error);
+                    });
+            });
+
+            navigator.serviceWorker.addEventListener('message', event => {
+                console.log('Message from Service Worker:', event.data);
+            });
+
+            document.addEventListener('click', function (event) {
+                if (event.target.id === 'navigate') {
+                    if (navigator.serviceWorker.controller) {
+                        navigator.serviceWorker.controller.postMessage('navigate');
+                    } else {
+                        console.error('No active Service Worker controller found.');
+                    }
+                }
+            });
+
+            document.addEventListener('click', function (event) {
+                if (event.target.id === 'fetch') {
+                    if (navigator.serviceWorker.controller) {
+                        navigator.serviceWorker.controller.postMessage('fetch');
+                    } else {
+                        console.error('No active Service Worker controller found.');
+                    }
+                }
+            });
+        }
+    </script>
+</head>
+
+<body>
+    <p><a href="./index.html">[Back]</a></p>
+
+    <h1>Phishing Page Service Worker</h1>
+
+    <p>This is an example page that attempts to abuse a service worker to navigate to a phishing page. If you arrive
+        here by mistake; there's
+        nothing to worry about, we just use this page to test if our client blocking is working.</p>
+    <button id="navigate">Service Worker Navigate</button>
+    <button id="fetch">Service Worker Fetch</button>
+</body>
+
+</html>

security/badware/phishing-url-tampering.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Phishing Page with URL Tampering</title>
+  <script>
+    // eslint-disable-next-line no-unused-vars
+    function injectedWhitespace() {
+      // Inject tab (0x09), CR (0x0d), and LF (0x0a) characters into the URL to bypass phishing detection
+      window.location = '/security/badware/phishing.html\t\r\n';
+    }
+
+    function injectedMiddleWhitespace() {
+      // Inject tab (0x09), CR (0x0d), and LF (0x0a) characters into the URL to bypass phishing detection
+      window.location = '/security/badware/\t\r\n\tphishing.html';
+    }
+
+    function injectedFragments() {
+      // Inject #frags into the URL to bypass phishing detection
+      window.location = '/security/badware/phishing.html#frags';
+    }
+
+    function injectedDoublePaths() {
+      // Inject "/../" in the path to bypass phishing detection
+      window.location = '/security/../security/badware/phishing.html';
+    }
+
+    function injectedSinglePaths() {
+      // Inject /./ in the path to bypass phishing detection
+      window.location = '/security/./badware/phishing.html';
+    }
+
+    function percentEncodeURL() {
+      // Inject percent-encoded characters into the URL to bypass phishing detection
+      window.location = "/%73%65%63%75%72%69%74%79/%62%61%64%77%61%72%65/%70%68%69%73%68%69%6e%67%2e%68%74%6d%6c"
+    }
+
+    function capitalizeURL() {
+      // Capitalize the URL to bypass phishing detection
+      window.location = '/SECURITY/BADWARE/PHISHING.HTML';
+    }
+  </script>
+</head>
+<body>
+  <p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Opening via URL Tampering</h1>
+
+<p>This is an example malicious page that attempts to open phishing pages with tampered URLs to bypass the phishing detection logic. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is working.</p>
+<button onclick="injectedWhitespace()">Injected Whitespace</button>
+<button onclick="injectedMiddleWhitespace()">Injected Middle Whitespace</button>
+<button onclick="injectedFragments()">Injected Fragments</button>
+<button onclick="injectedDoublePaths()">Injected Double Paths</button>
+<button onclick="injectedSinglePaths()">Injected Single Paths</button>
+<button onclick="percentEncodeURL()">Percent Encode URL</button>
+<button onclick="capitalizeURL()">Capitalize URL</button>
+</body>
+</html>