mirror of
https://github.com/bpetschowitsch/weba.git
synced 2026-06-01 16:39:42 +00:00
Create 06_xss_demo.md
This commit is contained in:
bpetschowitsch
@@ -0,0 +1,25 @@
|
|||||||
|
# XSS/CSP Demo
|
||||||
|
|
||||||
|
## Environment
|
||||||
|
Demo App -> [Addressbook](enable_php.md)
|
||||||
|
|
||||||
|
## Demo
|
||||||
|
check that csp is not set in nginx
|
||||||
|
|
||||||
|
## Browser
|
||||||
|
add following name & press "Speichern":
|
||||||
|
|
||||||
|
```html
|
||||||
|
Charlie <div id="out"></div><script>document.onkeypress = function(e) {document.getElementById('out').innerHTML += e.key};</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
and now type on your keyboard...
|
||||||
|
|
||||||
|
## CSP
|
||||||
|
set CSP in nginx config
|
||||||
|
|
||||||
|
```nginx
|
||||||
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self';" always;
|
||||||
|
```
|
||||||
|
|
||||||
|
repeat the Demo.
|
||||||
Reference in New Issue
Block a user