Appearance
MobaXterm
Validate MobaXterm's SSH, SFTP, X11 forwarding, and clipboard behaviors under the Secure Sandbox.
Objectives
- Enforce deny-by-default egress for SSH and SFTP connections; verify proxy enforcement.
- Ensure X11 forwarding does not bypass network controls.
- Verify clipboard/drag-drop boundaries between MobaXterm and the host.
Preconditions
- Windows target with Turbo Launcher and Secure Sandbox.
- MobaXterm installed.
Controls Under Test
runtime.networking.egressDefaultAction, proxy enforcement.runtime.dataMotion.rules[]withchannel: "clipboard"|"dragDrop".
Test Scenarios
| ID | Canonical ID | Scenario | Procedure | Expected Outcome |
|---|---|---|---|---|
| SCEN-APP-MOBAXTERM-01 | NET-EGRESS-01 | SSH to Disallowed IP | Open local terminal; run ssh user@<IP>. | Connection fails (timeout or proxy deny). |
| SCEN-APP-MOBAXTERM-02 | NET-EGRESS-10 | SFTP via Designated Proxy | Initiate SFTP session to an allowlisted site via the designated proxy. | Connection succeeds only when proxy identity/pinning is valid; traffic traverses the proxy; on mismatch, TLS handshake fails. Audit includes proxyEnforced: true and reason when denied. |
| SCEN-APP-MOBAXTERM-03 | NET-ISOLATE-01 | X11 Forwarding | Enable X11; launch X app (e.g. xclock) from remote session. | Display path remains internal; no external egress to host services. Localhost isolation holds; audit shows no external network egress. |
| SCEN-APP-MOBAXTERM-04 | DM-CLIP-01 | Clipboard Outbound | Copy text from remote terminal; paste to host. | Denied/processed per policy (e.g. deny or audit). |
| SCEN-APP-MOBAXTERM-05 | DM-DRAG-01 | File Drag-Drop | Drag file from MobaXterm sidebar to Host Desktop. | Blocked per policy. |
| SCEN-APP-MOBAXTERM-06 | HARD-FILES-01 | Local Browser | Use MobaXterm local browser to explore C:. | Visibility restricted to Storage Contexts; cannot see blocked host paths. |
Evidence Requirements
networkevents: protocol (tcp/22), destination, action, outcome.dataMotionevents:channel,direction,actionfor clipboard/dragDrop.
