The first time I used Chrome during a web application security review I had a rather unpleasant surprise. I had audited applications from the same developers before and found countless XSS errors. This time it looked like they had fixed all those problems! Little did I know that Chrome was actually performing filtering for reflected XSS attacks, and it wasn’t the developers. I almost got bitten hard by missing a lot of vulnerabilities and afterwards I just avoided Chrome completely for any type of testing. I also rely very heavily on a few FireFox plugins: Firebug, Web Developer, and Tamperdata are just a few examples, but in Chrome’s early days there just weren’t a lot of plugins.
There were other plugins missing from Chrome that I don’t use for security testing, but I use for everyday web surfing. There are a few absolutely necessary plugins for performing any sort of general browsing: NoScript and Ad Block Plus. I heavily rely on these in Firefox.
It’s been a few years and I guess it’s time to have another look.
General Settings:
- The first problem to tackle is the Cross Site Scripting Auditor. Fortunately there is a command line flag that disables the functionality: –disable-xss-auditor. Simple enough.
- The next problem is that Chrome uses the system proxy settings (in both Windows and Mac OS) which can be problematic for me (sometimes I will have several browsers running at the same time–I don’t use the same browser for testing and general surfing, mostly because it can create a lot of noise in an intercepting proxy.) There is a command line switch for this too: –proxy-server=host:port
C:\Users\<Your UserName Here>\AppData\Local\Google\Chrome\Application\chrome.exe --args --disable-xss-auditor --proxy-server=127.0.0.1:8081
#!/bin/bash
# Kill any running instances.
kill `ps |grep 'Chrome.app/Contents/MacOS/Google Chrome' |grep -v grep | awk '{print $1}'`
sleep 3
# Respawn with XSS disabled . . .
nohup /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-xss-auditor > /dev/null &
exit
- Finally I don’t want to leak any URLs or end up with extraneous traffic going to Safebrowsing etc. These can be configured within Chrome’s settings panel (chrome://settings/advanced) by unchecking all of the Privacy options. For example . . .
Plugins:
Chrome still doesn’t have all the plugins that I would like to see. There are some nice fuzzers like SQL Inject Me, and the ability to modify parameters, and headers in real time that are lacking. (There is actually a plugin, Request Maker, that claims to be an analogue to TamperData, but it didn’t work consistently for me. It’s one to watch though. For now I’ll stick to using ZAP as a proxy.)
- Built-in to Chrome is “Developer Tools” which is very much like FireBug in its abilities and functionality. It even adds the ability to view (but, unfortunately not intercept and modify) the raw HTTP requests. You can set JavaScript breakpoints, and modify scripts, CSS content, and data within a page dynamically. Very useful for playing with client-side and AJAX type applications.
- There is a port of Web Developer too, I find it particularly useful for playing with forms, finding hidden fields, and finding other hidden elements within a page.
- Finally for my favorite browsing plugins:
- In place of FireFox’s NoScript is the Chrome ScriptNo plugin. It has a few quirks, and still has some growing up to do, but it makes some of the more questionable sites I visit much safer.
- And AdBlockPlus has been ported over too. If you aren’t using this plugin, the web is a messy and distracting place to be.
One Response to “Using Google Chrome for Security Testing”
Sorry, the comment form is closed at this time.
There are many more commandline options available, many of which have the ability to eliminate false-negative problems when testing for web application vulnerabilities. Use the source . . .
http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc