search

palantir / phishcatch

A browser extension and API server for detecting corporate password use on external websites
https://github.com/palantir/phishcatch/wiki
Apache License 2.0
92 stars 21 forks source link

Connecting extension to alerting server not working #25

Open veeral-patel opened 3 years ago

veeral-patel commented 3 years ago

Here's my debug configuration:

Screen Shot 2021-06-17 at 6 42 47 PM

As you can see I've set the phishcatch server URL to a ngrok site which points to localhost:8000. I am running the server locally at port 8000 using PRESHARED_KEY=MYPSK123 dev.sh

I am able to trigger phishcatch browser notifications, however I am not seeing any alerts logged by my alert server.

What do I need to do to get the extension and server to cooperate?

carbureted commented 3 years ago

If you run the server locally (ie without ngrok) do you have the same problem? I'll try to reproduce this tomorrow if you're still having problems.

malcode-eth commented 3 years ago

I confirm it can't connect locally.

Either with an IP (127.0.0.1), a domain, by using http or https.

veeral-patel commented 3 years ago

@carbureted neither local or with ngrok work

carbureted commented 3 years ago

You guys are running via docker, right?

malcode-eth commented 3 years ago

Yes, here is how I launched it :

docker run -d -e PRESHARED_KEY=justtesting --name phishcatch -p 8080:80 phishcatch

0xMirasio commented 3 years ago

veeral-patel, it's normal the /alert POST isn't working There is a CSP policy that isn't allowing to make request to url beginning with http://

the csp policy is : "content_security_policy": "script-src 'self'; object-src 'self'; connect-src https://*", If you want to your server ngrok to work, you need to add http:// in the CSP policy in manifest.json (/public) or use the https URL gived by ngrok when requesting a http server.

That issue can be verified by watching background on chrome dev console Capture du 2021-07-05 16-01-16

carbureted commented 3 years ago

Good catch. I'll update the wiki to note the HTTPS requirement. Do people feel having an https server running is too high of a barrier for initial development?

0xMirasio commented 3 years ago

Well that's not a problem, you can change manifest.json to support http :

"content_security_policy": "script-src 'self'; object-src 'self'; connect-src **http://** https://",

carbureted commented 3 years ago

I could, but it enables hosting prod servers on http. A compromise might be enabling http for all localhost ports.

veeral-patel commented 3 years ago

@carbureted hey -- yes, i think that's a good compromise as well