Please note that this project is in beta, due to requirements to be completed by MozFest.
badsite.io for a list of test subdomains, including:
Stock Ubuntu VM, DNS A records for
*.badsite.test. pointing to the VM.
Testing and development
Follow the instructions to install Docker.
Clone into the badsite repo by running
git clone https://github.io/april/badsite.io && cd badsite.io.
In order to access the various badsite subdomains locally you will need to add them to your system hosts file. Run
make list-hostsand copy and paste the output into
Start Docker by running
You can now navigate to
badsite.testin your browser, and you should see a certificate error.
The badsite root certificate is at
certs/sets/test/gen/crt/ca-root.crt. In order to get the rest of the badsite subdomains working, you will need to add this to your machine's list of trusted certificates.
certs/sets/test/gen/crt/ca-root.crtinto the login section of the program Keychain Access. A BadSite Root Certificate Authority entry should appear in the list. Double-click on this entry and select "Use Custom Settings" from the drop-down menu next to "When using this certificate." Then select "Always Trust" from the drop-down menu next to "Secure Sockets Layer (SSL)." Close the window to save your changes.
If you are already familiar with this process, you can instead run this command:
security add-trusted-cert -r trustRoot -p ssl \ -k "$HOME/Library/Keychains/login.keychain" certs/sets/test/gen/crt/ca-root.crt
In order to preserve the root certificate even after running
make clean, run:
cd certs/sets/test mkdir -p pregen/crt pregen/key cp gen/crt/ca-root.crt pregen/crt/ca-root.crt cp gen/key/ca-root.key pregen/key/ca-root.key
badsite.io is hosted on Mozilla infrastructure and co-maintained by:
badsite.io is meant for manual testing of web security in clients and test tools.
Most subdomains are likely to have stable functionality, but anything could change without notice. If you would like a documented guarantee for a particular use case, please file an issue. (Alternatively, you could make a fork and host your own copy.)
badsite.io is not an official Mozilla or Google product. It is offered "AS-IS" and without any warranties.