You need to enable JavaScript to run this app.
Content-Security-Policy
Pick a Content-Security-Policy (CSP) to see how it controls which scripts and styles are applied,
and how Cross-Site Scripting vulnerabilities can be exploited.
STRICT (default)
Uses nonces
to restrict which scripts may load
Safely inserts nonces value into HTML via templating
The burden is on the developer to handle templating properly
Most secure way to allow some scripts and styles, but least flexible
MODERATE
Automatically injects nonces into specified tags (script, style, link)
Good enough for most static web pages
Accepts the risk of injecting nonces into unwanted script, style, and/or link tags that were present
in the page
Balances convenience with security
RELAXED
Uses 'unsafe-inline' for directives script-src,
script-src-attr, style-src, and style-src-attr
Allows frame ancestors and embedded iframes
Suitable for applications that don't expose much risk
Favors convenience and flexibility over security
NO CSP
The browser won't enforce any restrictions on content (except for some builtin XSS mitigation
features)
Current CSP:
If this is red, an inline style attribute was applied.
Cross-Site Scripting (XSS) Tests
Reflected XSS
Method #1
using setHTMLUnsafe
Try <img src=x onerror=alert(1)>
Click to test Reflected XSS
Method #2
using setHTMLUnsafe + document.write()
Try <script>alert('xss');</script>
Click to test Reflected XSS
Persistent XSS Tests
Assume users save free-form text to a content database,
and this page loads that content into the DOM without output encoding or sanitization. What happens when
that content contains an XSS Payload?
If this box is empty, the CSP is doing its job.
If not, we've been the victim of XSS
Escaped Dynamic Content
harmless content 1
<script>let el1 = document.createElement("div");el1.innerHTML = "Created by Persistent XSS 1"; document.getElementById("persistent-xss-target").appendChild(el1);</script>
<script nonce="{{nonce}}">let el2 = document.createElement("div");el2.innerHTML = "Created by Persistent XSS 2"; document.getElementById("persistent-xss-target").appendChild(el2);</script>
<script defer="" type="text/javascript" src="/bad.js"></script>
<script defer="" type="text/javascript" src="/bad.js" nonce="{{nonce}}"></script>
<img src=x onerror='let el3 = document.createElement("div");el3.innerHTML = "Created by Persistent XSS 3 (img onerror inline)"; document.getElementById("persistent-xss-target").appendChild(el3);' />
harmless content 2
Unescaped Dynamic Content
harmless content 1
harmless content 2