Why use Chromium for Web Application Testing ?
The primary reason I use Chromium is for DOM based XSS testing which as far as I know cannot be disabled in Firefox. If you have never heard of Chromium it’s the opensource version of Google Chrome and doesn’t have flash player built in and various other codecs such as: AAC, H.264, and MP3 Support.
It’s possible to disable all security features in Chromium or Chrome using the switch
--disable-web-security, this will disable all security options and allow you to test for DOM based XSS.
Kali Install Chromium Browser
Chromium exists within the Kali repositories and can be installed using:
Chromium Won’t Launch on Kali
By default chromium won’t launch on Kali Linux, this is due to chromium running as the root user. You can fix this by opening
/etc/chromium.d/default-flags in vim and adding the following lines:
This disables the
sandboxing, disabling sandboxing will have some obvious security issues but this browser is for web application penetration testing only.
Chromium Setup for Web Application Testing
In order to use chromium for Web Application Penetration Testing you need to disable all the security features, allowing for DOM based XSS testing in chromium.
Complete Chromium Config
What my entire Chromium config looks like:
Kali Chromium Error: You Are using an Unsupported Command line flag –disable-web-security. Security and Stability will suffer
Ignore the following error, Chromium still process DOM based XSS. The same error occurs in Google Chrome.