Add extra phishing detection test pages (#217)

* Add extra phishing detection test pages

* Add meta refresh and URL tampering test cases.

* Add URL capitalization tampering case

* Add form submission, iframe top navigator and service worker test cases.

Author: not-a-rootkit

index.html

@@ -61,8 +61,8 @@ <h2>Security</h2>
 	<li><a href="./security/dos-reload.html">Infinite location.reload() loop</a></li>
 	<li><a href="./security/csp-report/index.html">Leak of extension IDs via CSP</a></li>
 	<li><a href="./security/js-leaks.html">Detect changes to JS objects in global scope</a></li>
-	<li><a href="./security/badware/phishing.html">An example phishing page</a></li>
 	<li><a href="./security/popups/popup-launcher.html">Popup noopener/noreferrer tests</a></li>
+	<li><a href="./security/badware/">Phishing Detection Pages</a></li>
 </ul>
 
 <h2>Privacy Protections Tests</h2>

security/badware/index.html

@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="UTF-8">
+    <title>Test Pages - Phishing Detection</title>
+</head>
+
+<body>
+    <h1>Phishing Detection Test Pages</h1>
+    <a href="/">[Home]</a>
+    <ul>
+        <li><a href="./phishing.html">Standard Phishing Test</a></li>
+        <li><a href="./phishing-iframe-loader.html">Phishing iFrame Loader</a></li>
+        <li><a href="./phishing-js-redirector-helper.html">Phishing JS Redirector (Direct)</a></li>
+        <li><a href="./phishing-js-redirector.html">Phishing JS Redirector (Indirect)</a></li>
+        <li><a href="./phishing-legit-iframe-loader.html">Phishing Legit iFrame Loader</a></li>
+        <li><a href="./phishing-meta-redirect-clean.html">Phishing Redirect via Meta Refresh (Not Flagged in Dataset)</a></li>
+        <li><a href="./phishing-meta-redirect.html">Phishing Redirect via Meta Refresh (Flagged in Dataset)</a></li>
+        <li><a href="./phishing-popups.html">Phishing Open via Popups</a></li>
+        <li><a href="./phishing-url-tampering.html">Phishing Opening with URL Tampering</a></li>
+        <li><a href="./phishing-form-submission.html">Phishing Form Submission</a></li>
+        <li><a href="./phishing-iframe-top-navigator.html">Phishing iFrame Top Navigator</a></li>
+        <li><a href="./phishing-service-worker.html">Phishing Service Worker</a></li>
+        <li><a href="./phishing-iframe-top-navigator-parent.html">Phishing iFrame Top Navigator Parent</a></li>
+        <li><a href="/security/badware/phishing-redirect/">HTTP 301 Redirect to Main Phishing Test Page</a></li>
+        <li><a href="/security/badware/phishing-redirect/302">HTTP 302 Redirect to Main Phishing Test Page</a></li>
+        <li><a href="/security/badware/phishing-redirect/js">HTTP Redirect to Phishing JS Redirector (Indirect)</a></li>
+        <li><a href="/security/badware/phishing-redirect/js2">HTTP Redirect to Phishing JS Redirector (Direct)</a></li>
+        <li><a href="/security/badware/phishing-redirect/iframe">HTTP Redirect to Phishing iFrame Loader</a></li>
+        <li><a href="/security/badware/phishing-redirect/iframe2">HTTP Redirect to Phishing Legit iFrame Loader</a></li>
+        <li><a href="/security/badware/phishing-redirect/meta">HTTP Redirect to Clean Meta Refresh Redirector</a></li>
+        <li><a href="/security/badware/phishing-redirect/meta2">HTTP Redirect to Flagged Meta Refresh Redirector</a></li>
+
+    </ul>
+</body>
+
+</html>

security/badware/phishing-form-submission.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <title>Phishing Form Submission</title>
+</head>
+
+<body>
+    <p><a href="./index.html">[Back]</a></p>
+
+    <h1>Phishing Page Form Submission</h1>
+
+    <p>This is an example page that, although it is not in our phishing dataset, it submits a form to an endpoint that is in our phishing dataset. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our
+        client blocking is working.</p>
+    <form method="post" action="/security/badware/phishing-redirect/form">
+        <input type="hidden" name="phishing" value="true">
+        <input type="submit" value="Submit">
+    </form>
+</body>
+
+</html>

security/badware/phishing-iframe-loader.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing page loaded in iframe</title>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page iFrame Loader</h1>
+
+<p>This is an example page that, although it is not in our phishing dataset, it loads a test phishing page in an iframe. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is working.</p>
+<iframe src="https://bad.third-party.site/security/badware/phishing.html" width="100%" height="500" title="Phishing Page"></iframe>
+</body>
+</html>

security/badware/phishing-iframe-top-navigator-parent.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing Page iFrame Top Navigator</title>
+    <script>
+        if (window.top !== window.self) {
+            window.top.location.href = "https://bad.third-party.site/security/badware/phishing.html";
+        }
+    </script>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page iFrame Top Navigator Parent</h1>
+
+<p>This is an example page that, although it is not in our phishing dataset, it loads an iframe that performs a top-navigation to a phishing page. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is working.</p>
+<iframe src="https://bad.third-party.site/security/badware/phishing-iframe-top-navigator.html" width="100%" height="500" title="Phishing Page"></iframe>
+</body>
+</html>

security/badware/phishing-iframe-top-navigator.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing Page iFrame Top Navigator</title>
+    <script>
+        if (window.top !== window.self) {
+            window.top.location.href = "https://bad.third-party.site/security/badware/phishing.html";
+        }
+    </script>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page iFrame Top Navigator</h1>
+
+<p>This is an example page that, although it is not in our phishing dataset, when iframed, it performs a top-navigation to a phishing page. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is working.</p>
+
+</body>
+</html>

security/badware/phishing-js-redirector-helper.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing page with JS redirect loop - helper page</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        window.location = '/security/badware/phishing.html';
+    </script>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page JS Redirects (Direct)</h1>
+
+<p>This is a helper page that is used to redirect to a page that should be classified as phishing. This page itself should not be classified as phishing in our datasets, but since it redirects to a page that is, the error page should still be shown. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is
+working.</p>
+</body>
+</html>

security/badware/phishing-js-redirector.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing page with JS redirect loop</title>
+    <script>
+        // eslint-disable-next-line no-unused-vars
+        window.location = '/security/badware/phishing-js-redirector-helper.html';
+    </script>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page JS Redirects (Indirect)</h1>
+
+<p>This is an example phishing page that attempts to load legitimate iframes to trick the browser into incorrectly classifying the page as legitimate when it should be classed as malware. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is
+working.</p>
+</body>
+</html>

security/badware/phishing-legit-iframe-loader.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>Phishing page loaded in iframe</title>
+</head>
+<body>
+<p><a href="./index.html">[Back]</a></p>
+
+<h1>Phishing Page - iFrame Spoofing</h1>
+
+<p>This is an example phishing page that attempts to load legitimate iframes to trick the browser into incorrectly classifying the page as legitimate when it should be classified as phishing. If you arrive here by mistake; there's nothing to worry about, we just use this page to test if our client blocking is
+working.</p>
+<iframe src="/" width="100%" height="500" title="Phishing Page"></iframe>
+<iframe src="about:blank" width="100%" height="500" title="Phishing Page"></iframe>
+</body>
+</html>

security/badware/phishing-meta-redirect-clean.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="refresh" content="0;url=/security/badware/phishing.html">
+    <title>Phishing page</title>
+</head>
+
+<body>
+    <p><a href="./index.html">[Back]</a></p>
+
+    <h1>Phishing Redirect via Meta Refresh</h1>
+
+    <p>This is an example page that loads a phishing page via a meta refresh to test how the browser responds. If you arrive here by mistake; there's
+        nothing to worry about, we just use this page to test if our client blocking is working.</p>
+
+</body>
+
+</html>