urlscan.io logo urlscan.io
SecurityTrails logo

www.content-security-policy.info Open in urlscan Pro
2a01:238:20a:202:1163::  Public Scan

Back to summary
URL: https://www.content-security-policy.info/
Submission: On July 15 via automatic, source certstream-suspicious — Scanned from DE

Form analysis 1 forms found in the DOM

POST index.php

<form action="index.php" method="POST">
  <textarea id="xss" name="xss" rows="5" cols="125"></textarea><br>
  <input type="submit" value="Print!"> <!-- onclick="..." doesn't work due to CSP ^^ -->
</form>

Text Content

CONTENT SECURITY POLICY (CSP)

CSP is a mitigation technique preventing unwanted scripts from being executed in
case of an XSS vulnerability on a website.


CSP may be defined via a the Content-Security-Policy HTTP response header, or
alternatively using the HTML <meta> tag as done on this site (note that not all
features are supported when using the <meta> tag).

The CSP for this website is:
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd'
'nonce-wxyz' 'sha256-mbUqeqrWHlx2EmgPldmAK0AOTRUtEmMtKOZY9SUKId8='
'strict-dynamic'; img-src 'self' http://*.google.com;" />


Your input will get printed here, unescaped (suppose this was some sort of XSS
vulnerability):
Your input:







Here are some things you might wanna try out:


 * <b>Hello World</b>
 * <script>alert("will not work!")</script>
 * <script>alert("works due to correct hash!")</script>
 * <script nonce="abcd">alert("works!")</script>
 * <script nonce="wxyz">alert("works too!")</script>
 * <script nonce="foo">alert("will not work!")</script>
 * <img src="" onerror="alert('will not work!')">
 * <img
   src="http://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png"
   />
 * <img
   src="https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png"
   />
 * <img src="http://de.wikipedia.org/static/images/project-logos/dewiki-2x.png"
   />
 * <img src="https://de.wikipedia.org/static/images/project-logos/dewiki-2x.png"
   />
 * This works only because 'strict-dynamic' is set: <script
   nonce="wxyz">s=document.createElement("script");s.innerText="alert('works!')";document.body.appendChild(s);</script>
 * <script nonce="abcd">document.write('<script
   nonce="wxyz">alert(1337)<'+'/script>');</script>
 * <script
   nonce="abcd">document.write('<script>alert(1337)<'+'/script>');</script>








© 2023 Kendrick Grünberg | View source code | Contact | See also:
same-origin-policy.info ; set-cookie.info ; xsrf.me