Autochrome

At NCC Group, we do a lot of web application testing. The applications we test are fairly complex, with many different user accounts and roles. We spend a good amount of effort setting up a test environment with another browser to ensure sensitive client data isn't intermixed with other browsing activities. To automate this process, we developed Autochrome, making it easy to install a test browser with all the appropriate settings we need for web application testing. Normal web developers may also find it useful to isolate different users into different profiles for testing.

Screenshot of Autochrome after launch

Why do I want this?

Even if you already have your test environment all ready to go, it can be a pain to keep it up-to-date and clean. Autochrome makes it a single command to completely wipe out all of your previous data, such as a test for a different client, and set up all the little options that make doing webapp testing easier. A few of the features include:

Brightly-colored profiles

To make it easy to switch between user accounts, Autochrome, by default, installs three profiles, each with a different color set of stripes. Each profile is completely isolated--no data is shared between them.Having this separation is crucial when testing multiple users or roles for a single application.

Screenshot of multiple Autochrome profiles

No random browser traffic

Any given web application is going to generate a lot of traffic--to the app itself as well as various third-party websites. Having to sift out additional requests made by the browser for things such as extension updates, anti-phishing blacklists, and search traffic is always a pain. Autochrome disables various phone-home features and other sources of extraneous traffic, such as searching from the URL bar.

Test data stays in your test browser

By default, all browser traffic is redirected through the HTTP proxy of your choice. Nothing escapes the proxy. If your webapp makes a request, your proxy will see that request pass by. There’s no need to mess with system proxy settings - Autochrome will only send traffic to the proxy.

This extends to TLS certificates too. Since Autochrome is intended for local use, all TLS certificate validation is disabled, allowing you to use it with man-in-the-middle TLS proxies such as Burp Suite. Again, since this only applies to Autochrome, this means no more having to trust Burp’s TLS interception certificate authority at an operating system level.

How does it work?

Autochrome is simply a script that fetches the latest version of Google’s Chromium, creates a number of test profiles, and installs it. Rather than do extensive modifications to the Chromium source, we rely on the base executable built by Google and only modified the profiles so that they work for our testing.

How do I get this?

Get it from NCC Group’s GitHub! Autochrome is a Ruby script that will run on OS X 10.10 and later as well as most modern Linux systems. On Linux, you will need to have Ruby, sqlite3, and unzip installed for it to function. The following steps are all you need to get started:

$ git clone https://github.com/nccgroup/autochrome.git
$ cd autochrome
$ ruby autochrome.rb

Burp Suite extension

We’re also a big fan of Burp Suite over here at NCC Group. Since so much of our testing is done with Burp, we wanted to make it easy to identify the multiple Autochrome profiles in use. By default, Autochrome adds a string into the user agent header, identifying itself by color (such as "autochrome/red"). The Burp extension picks up on this header and fills in the Comment field in the proxy so that it is easy to identify which profile made which request.

Screenshot of Burp Suite with the extension in use

The extension is bundled with Autochrome in the burp_extension directory.

Published date:  20 March 2017

Written by:  Hans Nielsen

Filter By Service

Filter By Date