Skip to content

Commit

Permalink
Update links between security tests. (#172)
Browse files Browse the repository at this point in the history
The [Home] links on the security pages were broken (pointing to security/index.html which returns 404)
The base64 encoded HTML loading address bar spoofing vulnerability had a timeout of 2 seconds which was too long and caused the UI tests to fail - setting them to 600ms instead.
  • Loading branch information
not-a-rootkit committed Nov 15, 2023
1 parent 9ed4220 commit 64f9f69
Show file tree
Hide file tree
Showing 11 changed files with 13 additions and 12 deletions.
1 change: 1 addition & 0 deletions security/address-bar-spoofing/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
</head>
<body>
<h1>Address Bar Spoofing Pages</h1>
<a href="/">[Home]</a>
<ul>
<li><a href="/security/address-bar-spoofing/spoof-about-blank-rewrite.html">About:Blank Rewrite Spoof</a></li>
<li><a href="/security/address-bar-spoofing/spoof-application-scheme.html">Unsupported Application Scheme Spoof</a></li>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>
This test will try to confuse the browser to show the wrong domain in the URL bar by opening an about:blank page,
rewriting the content, starting a navigation elsewhere and quickly stopping the
navigation using window.stop().
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>
This test uses an unsupported application scheme and a href target to trick the browser into displaying the href
target as the current address bar value, while actually navigating to an attacker controlled page.
<a id="run" href="https://duckduckgo.com:" target="aa" onclick="setTimeout('run()',100)">
Expand Down
2 changes: 1 addition & 1 deletion security/address-bar-spoofing/spoof-basicauth-2028.html
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>
This test uses a unicode whitespace character (\u2028) inside the username field of the basicauth portion
of the URL to perform an address bar spoofing attack.
<button id="run" onclick="run()">run</button>
Expand Down
2 changes: 1 addition & 1 deletion security/address-bar-spoofing/spoof-basicauth-2029.html
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>
This test uses a unicode whitespace character (\u2029) inside the username field of the basicauth portion
of the URL to perform an address bar spoofing attack.
<button id="run" onclick="run()">run</button>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>
This test uses 300 repeated unicode whitespace characters inside the username field of the basicauth portion
of the URL to perform an address bar spoofing attack.
<button id="run" onclick="run()">run</button>
Expand Down
2 changes: 1 addition & 1 deletion security/address-bar-spoofing/spoof-form-action.html
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>
This test uses a form action on a redirect URL to trick the browser into displaying the
redirect URL as the current address bar value, while trying to remain on the current page.
<button id="run" onclick="run()">run</button>
Expand Down
2 changes: 1 addition & 1 deletion security/address-bar-spoofing/spoof-js-download-url.html
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>
This test uses a download URL for downloading a file to spoof the browser into displaying the download
URL as the current origin while rewriting the document content to spoof the address bar.
<button onclick="run()">Start</button>
Expand Down
2 changes: 1 addition & 1 deletion security/address-bar-spoofing/spoof-js-page-rewrite.html
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>

This test will try to confuse the browser to show the wrong domain in the URL bar by rewriting the current page
content and loading a URL that will timeout.
Expand Down
6 changes: 3 additions & 3 deletions security/address-bar-spoofing/spoof-open-b64-html.html
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,14 @@
w.location = 'tel://duckduckgo.com'
setTimeout(function () {
w.history.back()
}, 2100)
}, 2000)
}, 600)
}, 500)
}
</script>
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>

This test will try to confuse the browser to show the wrong domain in the URL bar by loading a static Base64
encoded document, rewriting the current page, and then navigating to a tel: URL.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
</head>

<body>
<p><a href="../index.html">[Home]</a></p>
<p><a href="./index.html">[Back]</a></p>

This is the most simple test for URL spoofing. Simply rewrite the current location using an unsupported scheme.

Expand Down

0 comments on commit 64f9f69

Please sign in to comment.