blackicedbear/weba
1
0
Fork 0
mirror of https://github.com/bpetschowitsch/weba.git synced 2026-06-01 16:39:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
weba/06_xss_demo.md
T
bpetschowitsch dfe7f4a568 Create 06_xss_demo.md
2026-04-16 15:15:05 +02:00

494 B
Raw Permalink Blame History

XSS/CSP Demo

Environment

Demo App -> Addressbook

Demo

check that csp is not set in nginx

Browser

add following name & press "Speichern":

Charlie <div id="out"></div><script>document.onkeypress = function(e) {document.getElementById('out').innerHTML += e.key};</script>

and now type on your keyboard...

CSP

set CSP in nginx config

add_header Content-Security-Policy "default-src 'self'; script-src 'self';" always;

repeat the Demo.

Reference in New Issue View Git Blame Copy Permalink