www.content-security-policy.info
Open in
urlscan Pro
2a01:238:20a:202:1163::
Public Scan
URL:
https://www.content-security-policy.info/
Submission: On July 15 via automatic, source certstream-suspicious — Scanned from DE
Submission: On July 15 via automatic, source certstream-suspicious — Scanned from DE
Form analysis
1 forms found in the DOMPOST index.php
<form action="index.php" method="POST">
<textarea id="xss" name="xss" rows="5" cols="125"></textarea><br>
<input type="submit" value="Print!"> <!-- onclick="..." doesn't work due to CSP ^^ -->
</form>
Text Content
CONTENT SECURITY POLICY (CSP) CSP is a mitigation technique preventing unwanted scripts from being executed in case of an XSS vulnerability on a website. CSP may be defined via a the Content-Security-Policy HTTP response header, or alternatively using the HTML <meta> tag as done on this site (note that not all features are supported when using the <meta> tag). The CSP for this website is: <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd' 'nonce-wxyz' 'sha256-mbUqeqrWHlx2EmgPldmAK0AOTRUtEmMtKOZY9SUKId8=' 'strict-dynamic'; img-src 'self' http://*.google.com;" /> Your input will get printed here, unescaped (suppose this was some sort of XSS vulnerability): Your input: Here are some things you might wanna try out: * <b>Hello World</b> * <script>alert("will not work!")</script> * <script>alert("works due to correct hash!")</script> * <script nonce="abcd">alert("works!")</script> * <script nonce="wxyz">alert("works too!")</script> * <script nonce="foo">alert("will not work!")</script> * <img src="" onerror="alert('will not work!')"> * <img src="http://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png" /> * <img src="https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png" /> * <img src="http://de.wikipedia.org/static/images/project-logos/dewiki-2x.png" /> * <img src="https://de.wikipedia.org/static/images/project-logos/dewiki-2x.png" /> * This works only because 'strict-dynamic' is set: <script nonce="wxyz">s=document.createElement("script");s.innerText="alert('works!')";document.body.appendChild(s);</script> * <script nonce="abcd">document.write('<script nonce="wxyz">alert(1337)<'+'/script>');</script> * <script nonce="abcd">document.write('<script>alert(1337)<'+'/script>');</script> © 2023 Kendrick Grünberg | View source code | Contact | See also: same-origin-policy.info ; set-cookie.info ; xsrf.me