Reputation: 1178
Why javascript code isn't executed?
I'm trying to test XSS vulnerabilities on some sites for a security class and I can't be able to figure out why the script injected in the following page doesn't get executed. Basically, I insert some values in an input form and the server replies with this response
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" conent="IE-edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>NECSTFeedback</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
<link href="/static/css.css" rel="stylesheet">
</head>
<body>
<div class="container">
<div class="header clearfix">
<h3 class="text-muted">The NECSTFeedback</h3>
</div>
<h1>Report</h1>
<p><b>Subject: </b>sk</p>
<p><b>Sender: </b>as</p>
<div class="rpt-content">
<p><b>Message: </b></p>
<!-- This is my script -->
<script> alert('Hi')</script>
</div>
<p><b>Attachment: </b><a href="/attachment/58224c5bd967459c925a88eb21799384"></a></p>
</div>
</body>
</html>
I have the suspicion that it's because of the CSP header, but I'm not too sure. Btw, here is a list of the headers.
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 25 May 2016 19:18:31 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Security-Policy: default-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/; font-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/
Upvotes: 0
Views: 146
Answers (1)
Reputation: 664206
I have the suspicion that it's because of the CSP header, but I'm not too sure.
Content-Security-Policy: default-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/; font-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/
Yes indeed.
The content security policy spec says here:
If 'unsafe-inline' is not in the list of allowed script sources […]:
Whenever the user agent would execute an inline script from a <script> element […], instead the user agent MUST NOT execute script […].
That self in the header does definitely disallow inline scripts.
Upvotes: 2
Related Questions
- How do I replace all occurrences of a string?
- Loop (for each) over an array in JavaScript
- How can I validate an email address in JavaScript?
- How can I remove a specific item from an array in JavaScript?
- Which equals operator (== vs ===) should be used in JavaScript comparisons?
- How do I remove a property from a JavaScript object?
- What does "use strict" do in JavaScript, and what is the reasoning behind it?
- How do I include a JavaScript file in another JavaScript file?
- How do JavaScript closures work?
- How to check whether a string contains a substring in JavaScript?