#!/usr/bin/env python3
"""Browser-based probe of betterbrowsing.org via Playwright.
Companion to probe.sh. This script exercises every endpoint a real
browser would touch, plus the things curl can't reach:
- document.cookie visibility (HttpOnly cookies are stored but hidden from JS)
- All login form variants — automation-guard hooks fire on different
shapes (canonical type=password, type=text masquerade, renamed fields,
GET-form, JS-driven XHR, multi-step navigation)
- Form-sink submissions (signup, comment, listing, ad-click) via real
browser navigation, so 302 redirects and post-submission state are
observed end-to-end
- Engagement like via AJAX
- All diagnostic endpoints exercised via fetch() — captures what the
intermediary does to browser-originated XHR (headers, cookies, IP)
- OSINT bait paths fetched via the page, to see whether the intermediary
blocks scan-shaped XHR differently from page navigation
- Robots.txt-disallowed /private/* fetches
- Real browser fingerprint (Sec-CH-UA, Sec-Fetch-*, etc.) reported
Usage:
pip install playwright && playwright install chromium
python3 probe_browser.py # direct
python3 probe_browser.py --proxy http://1.2.3.4:8080 # HTTP proxy
python3 probe_browser.py --cdp wss://USER:PASS@h:9222 # CDP browser
python3 probe_browser.py --headed # watch it
python3 probe_browser.py --json # diff-friendly
Compare across runs:
python3 probe_browser.py --json > direct.json
python3 probe_browser.py --json --proxy http://... > proxied.json
diff direct.json proxied.json
Exits non-zero if any probe fails. Info rows (fingerprint, robots,
ratecap percentage) don't count as failures.
"""
import argparse
import json
import sys
from contextlib import contextmanager
try:
from playwright.sync_api import sync_playwright, TimeoutError as PWTimeoutError
except ImportError:
sys.stderr.write("playwright not installed. Run: pip install playwright && playwright install chromium\n")
sys.exit(2)
DEFAULT_BASE = "https://betterbrowsing.org"
# Login form variants. Each row: (path, email/username selector, password
# selector, expected post-submit URL pattern). All six should land on / with
# the session cookies set, if the intermediary doesn't intercept.
LOGIN_VARIANTS = [
("/login/post-form", 'input[name="email"]', 'input[name="password"]'),
("/login/post-text-pw", 'input[name="email"]', 'input[name="password"]'), # password is type=text
("/login/post-renamed", 'input[name="user_credential"]', 'input[name="secret_key"]'),
("/login/get-form", 'input[name="email"]', 'input[name="password"]'), # method=get
]
# Form sinks that navigate (browser follows the 302 from the server).
# Each row: (form page path, dict of field-name -> value, expected final URL path).
FORM_SINKS = [
("/signup", {"username": "synth", "email": "s@example.invalid", "password": "x", "password_confirm": "x", "agree_terms": "on"}, "/"),
("/comment", {"author": "anon", "body": "hello world"}, "/comment"),
("/listing", {"title": "test listing", "category": "misc", "price": "10"}, "/listing"),
]
# OSINT bait paths — see what the intermediary does to a same-origin fetch
# of recon-shaped paths. Direct baseline: all 200.
OSINT_PATHS = ["/admin", "/wp-login.php", "/server-status", "/phpmyadmin", "/.env", "/.git/config"]
# Robots.txt-disallowed paths — direct baseline 200; through a robots-respecting
# intermediary the fetches get blocked.
PRIVATE_PATHS = ["/private", "/private/data.json", "/private/secret"]
# Diagnostic endpoints to hit via fetch. Each row: (label, fetch url, expected status).
DIAG_FETCHES = [
("echo headers", "/api/echo/headers", 200),
("echo ip", "/api/echo/ip", 200),
("echo user-agent", "/api/echo/user-agent", 200),
("echo get + query", "/api/echo/get?foo=bar&n=42", 200),
("status 200", "/api/status/200", 200),
("status 418", "/api/status/418", 418),
("status 500", "/api/status/500", 500),
("status 599", "/api/status/599", 599),
("redirect 0", "/api/redirect/0", 200),
("delay 0", "/api/delay/0", 200),
("health", "/api/health", 200),
("fail", "/api/fail", 500),
]
def main():
parser = argparse.ArgumentParser(description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument("--base", default=DEFAULT_BASE, help=f"Base URL (default {DEFAULT_BASE})")
parser.add_argument("--proxy", help="HTTP/HTTPS proxy URL (e.g. http://user:pass@host:port)")
parser.add_argument("--cdp", help="CDP wss:// URL — connect to a remote browser instead of launching locally")
parser.add_argument("--cacert", help="Vendor MITM root CA path. When the proxy re-signs TLS, presence of this flag enables ignore_https_errors on the browser context so the synthetic chain is accepted.")
parser.add_argument("--headed", action="store_true", help="Show the browser (default headless)")
parser.add_argument("--json", action="store_true", help="Emit results as JSON to stdout")
args = parser.parse_args()
base = args.base.rstrip("/")
results = []
def record(name, status, detail=""):
results.append({"name": name, "status": status, "detail": detail})
if not args.json:
marker = {"pass": " ok ", "fail": "FAIL", "info": "info"}.get(status, " ?? ")
line = f" [{marker}] {name}"
if detail:
line += f" — {detail}"
print(line)
def section(title):
if not args.json:
print(f"\n## {title}")
def password_block_detail(page):
"""When page.fill() on a password input times out, some intermediaries
have swallowed an underlying 'forbidden' / 'blocked' message into a
generic 30s Playwright timeout. A direct value-assignment via
evaluate often raises that message explicitly. Returns a suffix to
append to the detail field, or '' if no password input is present /
no extra signal was captured."""
try:
page.evaluate("""
const p = document.querySelector('input[type="password"]');
if (p) { p.value = 'probe-pw'; }
""")
except Exception as e:
return f" — {str(e)[:150]}"
return ""
if not args.json:
mode = f"CDP {args.cdp}" if args.cdp else (f"HTTP proxy {args.proxy}" if args.proxy else "direct")
print(f"## Browser probe of {base}")
print(f"## Mode: {mode}")
with sync_playwright() as p:
# Local Chromium: launch once, reuse the context across tests via
# fresh pages. CDP mode: some remote browser endpoints leak
# session state across navigations — a single failed page.fill()
# on a password input can pollute the session so every subsequent
# page.goto() also times out, multiplying one real intercept into
# many cascading failures. Open a fresh CDP connection per test
# to isolate. ~1s/test overhead in CDP mode.
shared_browser = shared_ctx = None
if not args.cdp:
launch_kwargs = {"headless": not args.headed}
if args.proxy:
launch_kwargs["proxy"] = {"server": args.proxy}
shared_browser = p.chromium.launch(**launch_kwargs)
context_kwargs = {}
if args.cacert:
context_kwargs["ignore_https_errors"] = True
shared_ctx = shared_browser.new_context(**context_kwargs)
@contextmanager
def test_session():
if args.cdp:
browser = p.chromium.connect_over_cdp(args.cdp)
ctx = browser.contexts[0] if browser.contexts else browser.new_context()
page = ctx.new_page()
try:
yield ctx, page
finally:
browser.close()
else:
page = shared_ctx.new_page()
try:
yield shared_ctx, page
finally:
page.close()
# =========================================================
# 1. Cookies / SameSite via document.cookie
# =========================================================
section("Cookies (client-side via document.cookie)")
with test_session() as (ctx, page):
try:
page.goto(f"{base}/cookies", timeout=20000)
record("/cookies loads", "pass" if "Cookie tests" in page.content() else "fail")
except Exception as e:
record("/cookies loads", "fail", repr(e)[:120])
with test_session() as (ctx, page):
try:
page.goto(f"{base}/cookies", timeout=20000)
page.evaluate("setCookies({probe:'hello', visitor:'anon'}, 'Lax'); refresh();")
shown = page.text_content("#doc-cookie") or ""
record("plain cookie via JS visible to document.cookie",
"pass" if "probe=hello" in shown and "visitor=anon" in shown else "fail",
shown[:80])
except Exception as e:
record("plain cookie via JS visible to document.cookie", "fail", repr(e)[:120])
with test_session() as (ctx, page):
try:
page.goto(f"{base}/cookies", timeout=20000)
page.evaluate("setCookies({strict_c:'yes'}, 'Strict'); refresh();")
jar = {c["name"]: c for c in ctx.cookies()}
ss_ok = jar.get("strict_c", {}).get("sameSite") == "Strict"
record("SameSite=Strict attribute reaches the jar", "pass" if ss_ok else "fail",
f"strict_c.sameSite={jar.get('strict_c', {}).get('sameSite')}")
except Exception as e:
record("SameSite=Strict attribute reaches the jar", "fail", repr(e)[:120])
with test_session() as (ctx, page):
try:
page.goto(f"{base}/cookies", timeout=20000)
page.evaluate("setCookies({probe:'hello'}, 'Lax'); refresh();")
page.evaluate("clearAll(); refresh();")
empty = page.text_content("#doc-cookie") or ""
record("clearAll empties document.cookie", "pass" if "probe=" not in empty else "fail")
except Exception as e:
record("clearAll empties document.cookie", "fail", repr(e)[:120])
# =========================================================
# 2. Login variants — every form shape submitted via the real browser
# =========================================================
section("Login variants (form fill + submit through the browser)")
for path, email_sel, pw_sel in LOGIN_VARIANTS:
label = f"variant {path}: form -> 302 -> /"
step = "init"
with test_session() as (ctx, page):
try:
step = "goto"
page.goto(f"{base}{path}", timeout=20000)
step = "fill_email"
page.fill(email_sel, "variant@example.invalid", timeout=8000)
step = "fill_password"
page.fill(pw_sel, "synthetic-pw", timeout=8000)
step = "click_submit"
page.click('button[type="submit"]', timeout=8000)
step = "wait_for_redirect"
page.wait_for_url(f"{base}/", timeout=15000)
step = "verify_cookies"
cookies = {c["name"]: c for c in ctx.cookies()}
ok = "__session" in cookies and "bb_session_js" in cookies
record(label,
"pass" if ok else "fail",
f"cookies={[k for k in cookies.keys() if k.startswith(('__session','bb_session'))]}")
except PWTimeoutError:
record(label, "fail", f"timeout at step={step}{password_block_detail(page)}")
except Exception as e:
record(label, "fail", f"step={step}: {repr(e)[:100]}")
# =========================================================
# 2b. DOM-mutation bypasses for the password-typing block
# =========================================================
# If an intermediary forbids typing into , can
# an attacker mutate type -> 'text' before filling? Four mutation
# styles; each is its own probe. "pass" here = the bypass worked =
# the intermediary failed to block (a finding against the
# intermediary's protection). "fail" = the intermediary blocked the
# bypass attempt = protection held.
section("Password-type DOM mutations + fill + submit")
MUTATIONS = [
("type-property-setter", "document.querySelector('input[name=password]').type='text'"),
("setAttribute('type','text')",
"document.querySelector('input[name=password]').setAttribute('type','text')"),
("removeAttribute('type')",
"document.querySelector('input[name=password]').removeAttribute('type')"),
("replace-element-with-text-input", '''
const old = document.querySelector('input[name=password]');
const nu = document.createElement('input');
nu.type = 'text'; nu.name = 'password'; nu.id = 'password';
old.parentNode.replaceChild(nu, old);
'''),
]
for mut_label, mutation_js in MUTATIONS:
label = f"mutation '{mut_label}': flip -> fill -> 302"
step = "init"
with test_session() as (ctx, page):
try:
step = "goto"
page.goto(f"{base}/login/post-form", timeout=20000)
step = "mutation"
try:
page.evaluate(mutation_js)
except Exception as me:
record(label, "fail", f"step=mutation: {repr(me)[:160]}")
continue
step = "verify_type"
new_type = page.evaluate("document.querySelector('input[name=password]').type")
if new_type != 'text':
record(label, "fail", f"flip did not take; type still {new_type!r}")
continue
step = "fill_email"
page.fill('input[name="email"]', "synth@example.invalid", timeout=5000)
step = "fill_password"
page.fill('input[name="password"]', "synthetic-pw", timeout=5000)
step = "click_submit"
page.click('button[type="submit"]', timeout=5000)
step = "wait_for_redirect"
page.wait_for_url(f"{base}/", timeout=15000)
record(label, "pass", "BYPASS — intermediary did not block at any step")
except PWTimeoutError:
# Surface the BD-style "Forbidden action" error if it's actually
# there, by re-running the failing JS to capture the real msg.
bd_detail = ""
try:
page.evaluate("document.querySelector('input[type=password]')?.setAttribute('type','text')")
except Exception as me:
bd_detail = f" — {str(me)[:140]}"
record(label, "fail", f"timeout at step={step}{bd_detail}")
except Exception as e:
record(label, "fail", f"step={step}: {repr(e)[:140]}")
# =========================================================
# 2c. Submit-trigger bypasses
# =========================================================
# Same logic as 2b but applied to the submit step. If an intermediary
# hooks page.click() / submit-button click events to block credential
# submission, equivalent submission APIs may slip past: form.submit()
# skips the submit event entirely, form.requestSubmit() is the newer
# API, synthetic dispatchEvent forges the click, and a raw fetch(POST)
# bypasses the form DOM entirely. Each is its own probe.
#
# Uses /login/post-text-pw so any password-typing block doesn't gate
# this — we're isolating the submit-trigger surface, not the typing
# surface.
section("Submit trigger via alternative APIs")
SUBMIT_TRIGGERS = [
("button.click()",
"document.querySelector('button[type=submit]').click()"),
("form.submit() (no submit event)",
"document.querySelector('form').submit()"),
("form.requestSubmit()",
"document.querySelector('form').requestSubmit()"),
("dispatch synthetic click MouseEvent",
"document.querySelector('button[type=submit]').dispatchEvent(new MouseEvent('click', {bubbles:true, cancelable:true}))"),
]
for trig_label, trig_js in SUBMIT_TRIGGERS:
label = f"submit via {trig_label}: form -> 302"
step = "init"
with test_session() as (ctx, page):
try:
step = "goto"
page.goto(f"{base}/login/post-text-pw", timeout=20000)
step = "fill_email"
page.fill('input[name="email"]', "synth@example.invalid", timeout=8000)
step = "fill_password"
page.fill('input[name="password"]', "synthetic-pw", timeout=8000)
step = "trigger_submit"
page.evaluate(trig_js)
step = "wait_for_redirect"
page.wait_for_url(f"{base}/", timeout=15000)
record(label, "pass", "BYPASS — intermediary did not block submission")
except PWTimeoutError:
record(label, "fail", f"timeout at step={step}")
except Exception as e:
record(label, "fail", f"step={step}: {repr(e)[:140]}")
# Form-bypass: skip every form-related DOM API and just POST via fetch
# using URLSearchParams (matches the form's default urlencoded encoding).
# An intermediary that hooks DOM submit / click events but not fetch()
# POSTs to login endpoints will let this through.
label = "submit via fetch(POST URLSearchParams): -> 200 (followed)"
step = "init"
with test_session() as (ctx, page):
try:
step = "goto"
page.goto(f"{base}/login/post-text-pw", timeout=20000)
step = "fill_email"
page.fill('input[name="email"]', "synth@example.invalid", timeout=8000)
step = "fill_password"
page.fill('input[name="password"]', "synthetic-pw", timeout=8000)
step = "fetch_post"
result = page.evaluate("""
async () => {
const f = document.querySelector('form');
const params = new URLSearchParams();
for (const [k, v] of new FormData(f)) params.append(k, v);
const r = await fetch(f.action, {
method: 'POST',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: params.toString(),
redirect: 'follow',
});
return { status: r.status, finalUrl: r.url };
}
""")
# Follow-redirect lands on /; final status 200, final URL is base/.
ok = result["status"] == 200 and result["finalUrl"].rstrip("/") == base
record(label,
"pass" if ok else "fail",
f"BYPASS — status={result['status']}, final={result['finalUrl']}" if ok
else f"status={result['status']}, final={result['finalUrl']}")
except PWTimeoutError:
record(label, "fail", f"timeout at step={step}")
except Exception as e:
record(label, "fail", f"step={step}: {repr(e)[:140]}")
# Content-type variants: intermediaries that detect credential POSTs
# by parsing 'application/x-www-form-urlencoded' bodies may miss the
# same payload in multipart/form-data or application/json. Probe both.
ENCODING_VARIANTS = [
("fetch(POST FormData) multipart", """
async () => {
const f = document.querySelector('form');
const fd = new FormData(f); // fetch + FormData -> multipart/form-data
const r = await fetch(f.action, {method:'POST', body:fd, redirect:'follow'});
return { status: r.status, finalUrl: r.url };
}
"""),
("fetch(POST JSON body)", """
async () => {
const f = document.querySelector('form');
const obj = {};
for (const [k, v] of new FormData(f)) obj[k] = v;
const r = await fetch(f.action, {
method:'POST',
headers:{'Content-Type':'application/json'},
body: JSON.stringify(obj),
redirect:'follow',
});
return { status: r.status, finalUrl: r.url };
}
"""),
]
for enc_label, enc_js in ENCODING_VARIANTS:
label = f"submit via {enc_label}: -> 200 (followed)"
step = "init"
with test_session() as (ctx, page):
try:
step = "goto"
page.goto(f"{base}/login/post-text-pw", timeout=20000)
step = "fill_email"
page.fill('input[name="email"]', "synth@example.invalid", timeout=8000)
step = "fill_password"
page.fill('input[name="password"]', "synthetic-pw", timeout=8000)
step = "fetch_post"
result = page.evaluate(enc_js)
ok = result["status"] == 200 and result["finalUrl"].rstrip("/") == base
record(label,
"pass" if ok else "fail",
f"BYPASS — status={result['status']}" if ok
else f"status={result['status']}, final={result['finalUrl']}")
except Exception as e:
record(label, "fail", f"step={step}: {repr(e)[:140]}")
# =========================================================
# 2d. Cross-realm (iframe.contentWindow) bypasses
# =========================================================
# Meta-bypass: intermediary hooks usually only patch the top-frame
# realm's globals/prototypes (via evaluateOnNewDocument / CDP
# injection). A same-origin