Configurable test origin server for tungsten proxy CI testing
Browser-initiated downloads via anchor tag navigation. Tests tungsten's download detection for Document and NonBrowser request types.
Links for PDF, ZIP, XLSX, EXE, MP4 + custom download builder. Replaces getsamplefiles.com.
Downloads aimed at a safeview/isolate.-policy host (PXY-6221). PE returns isolate + file_download; tungsten must collapse that to content inspection (hash + AV), not route the binary through safeview. A download cannot be isolated.
Mirrors the failing legacy e2e files (tar, docx, xlsx, EICAR). Expected: resp.action=content_inspect, Druid entry with sha256_score/av_scan_result, no thin-client call.
Resources meant to be right-clicked and saved. Tests tungsten's SaveAs request kind detection, which always triggers download inspection regardless of MIME type.
Inline PDFs, executables, images. Replaces github.com/mimikatz save-as test.
Programmatic downloads via fetch() with configurable response type: blob, arraybuffer, or ReadableStream. Tests inspection of non-navigation downloads.
Shows transfer speed and size. Replaces github.com/mimikatz XHR test.
Dynamically injects a hidden <iframe> to trigger a download. Tests that tungsten detects and inspects downloads initiated via non-visible iframes (Iframe request type).
Configurable target URL.
Simulates Dropbox/Box/Google Drive. A static <iframe> in the DOM navigates to a download URL. Browser sends Sec-Fetch-Dest: iframe, triggering tungsten's iframe download path and frame-busting download page.
Tests that tungsten correctly intercepts iframe downloads and breaks out to top-level.
A visible iframe loads /robots.txt served as text/plain with no Content-Disposition header. Tests the bug where tungsten classifies the iframe response as a download and frame-busts, replacing the top-level page.
Reproduces incorrect iframe download classification for plain-text sub-frame responses.
Native form POST (multipart or urlencoded) and XHR/fetch upload on a single page. Tests sec-fetch-mode: navigate vs cors classification and upload inspection across all encoding variants.
File, Blob, or generated data. Replaces west-wind.com.
Form with pre-filled sensitive data patterns (SSN, credit card numbers, PII). Tests DLP policy enforcement on application/x-www-form-urlencoded POST bodies.
Replaces dlptest.com.
Client-side File.slice() with concurrent PUT requests. Tests tungsten's inspection of multiplexed chunked uploads with Content-Range headers.
Configurable chunk size and concurrency. Replaces AWS S3 console upload behavior.
Top-level form POST and fetch/XHR POST from this page to a sibling caesium subdomain. Preset buttons switch the target between isolate., block., and allow. to exercise different tungsten policy decisions (safeview rewrite, block page, pass-through).
Configurable target, encoding, and frame. Target hostname inherits page protocol/port, so works locally and in prod.
Builds same-origin links of a chosen total length and sends them through the proxy. Tests the maximum-URL boundary — squid rejects any absolute URL ≥ its compiled MAX_URL (8192 bytes) with 400 Invalid URL; tungsten (H2) has no URL-line cap, only a 256 KB total header-list limit.
Preset limits for squid/tungsten plus custom. Generates under / at / right-above / over the limit. Hits /urltest, which 200s with the received byte count.
Displays all HTTP request headers received by caesium. Useful for inspecting which headers the proxy adds, strips, or rewrites (e.g. x-forwarded-for, via, x-menlo-*).
Reload the page to refresh. Also available as a plain endpoint for curl.
Matrix decoupling the three signals tungsten uses to classify downloads: sniffed type, declared Content-Type, and Content-Disposition. Emphasizes contradiction cases — e.g. plaintext served as application/octet-stream (the clean_executables fixtures) escalates to a download, and an inline disposition cannot keep a non-renderable PE inline.
Top-level navigation per row (Document path) with expected verdict. Backed by /classify, which serves text/exe/pdf/zip/png bodies under arbitrary declared headers.
Page making fetch calls, loading scripts/images/CSS from the same origin. Tests that proxy auth doesn't interfere with normal same-origin subresource loading.
Planned — requires hostname-based routing setup.
| Method | Path | Description | Key Parameters |
|---|---|---|---|
| GET | /download | Serve configurable response body | size, content_type, disposition, filename, transfer_encoding, content_encoding, embed_signature, trickle_rate |
| POST | /upload | Streaming upload, returns diagnostics | — |
| PUT | /upload | Streaming upload (same as POST) | — |
| POST | /upload/form | Buffered form POST (DLP testing) | — |
| GET | /headers | Show all request headers received by caesium | — |
| GET | /urltest | Echo received request-target byte count (URL-length testing) | any (padding goes in the query) |
| GET | /classify | Serve a body that sniffs as a chosen type under caller-declared headers (download-classification testing) | body (text/exe/pdf/zip/png), content_type, disposition, filename |
| GET | /health | Health check | — |
| Use Case | URL |
|---|---|
| 1MB PDF download | /download?size=1MB&content_type=application/pdf&disposition=attachment&filename=test.pdf |
| 50MB ISO (non-browser) | curl -o test.iso http://<host>/download?size=50MB&content_type=application/x-iso9660-image |
| Embed PE header in body | /download?size=1MB&embed_signature=0:4d5a9000 |
| Chunked transfer | /download?size=5MB&transfer_encoding=chunked |
| Resumable download | curl -C - -o file.bin http://<host>/download?size=100MB |