HowTo: Kali Linux Chromium Install for Web App Pen Testing

Why use Chromium for Web Application Testing ?

The primary reason I use Chromium is for DOM based XSS testing which as far as I know cannot be disabled in Firefox. If you have never heard of Chromium it’s the opensource version of Google Chrome and doesn’t have flash player built in and various other codecs such as: AAC, H.264, and MP3 Support.

It’s possible to disable all security features in Chromium or Chrome using the switch --disable-web-security, this will disable all security options and allow you to test for DOM based XSS.

Kali Install Chromium Browser

Chromium exists within the Kali repositories and can be installed using:

apt-get install chromium

Chromium Won’t Launch on Kali

By default chromium won’t launch on Kali Linux, this is due to chromium running as the root user. You can fix this by opening /etc/chromium.d/default-flags in vim and adding the following lines:

# Run as root Kali
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --password-store=detect --no-sandbox --user-data-dir"

This disables the user-data-dir and sandboxing, disabling sandboxing will have some obvious security issues but this browser is for web application penetration testing only.

Chromium Setup for Web Application Testing

In order to use chromium for Web Application Penetration Testing you need to disable all the security features, allowing for DOM based XSS testing in chromium.

# Disable Chromium security features for web app testing
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --disable-web-security"

Complete Chromium Config

What my entire Chromium config looks like:

# A set of command line flags that we want to set by default.

# Do not hide any extensions in the about:extensions dialog
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --show-component-extension-options"

# Don't use the GPU blacklist (bug #802933)
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --ignore-gpu-blacklist"

# Run as root Kali
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --password-store=detect --no-sandbox --user-data-dir"

# Disable Chromium security features for web app testing
export CHROMIUM_FLAGS="$CHROMIUM_FLAGS --disable-web-security"

Kali Chromium Error: You Are using an Unsupported Command line flag –disable-web-security. Security and Stability will suffer

Ignore the following error, Chromium still process DOM based XSS. The same error occurs in Google Chrome.

Kali Chromium Error: You Are using an Unsupported Command line flag --disable-web-security. Security and Stability will suffer

Enjoy.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

StormSecurity

IT Security Research and Services

govolution

About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

P.M.C.S.P. Blog

Articles about Physics, Math, Computer Security & Programming and more

Chimera | Security

#YorkshireAnalyst #SIEMJunkie #ALLOPIONIONSAREMYOWN

%d bloggers like this: