Login/Register
How to temporarily disable XSS protection in modern browsers for testing?
Asked Answered
javascripthtmlsecurityxss
B

6

38

Is it possible to temporarily disable the XSS protection found in modern browsers for testing purposes?

I'm trying to explain to a co-worker what happens when one sends this to an XSS-vulnerable web form:

<script>alert("Danger");</script>

However, it appears that both Chrome and Firefox are preventing the XSS popup. Can I disable this protection so I can fully see the results of my actions?

Baucom answered 17/10, 2012 at 4:12 Comment(2)
I don't think any browser would block that script in case it really is served as part of the html sent from the server.Mary
@Mary the browser usually blocks it if it sent from the user and also returned by the server, not if it is just sent from the server. e.g. MyPage.aspx?id=<script>alert('s');</alert> would be sent as the request, but if any part of the code appears in script in the response it may be blocked (i.e. not executed) by the browser.Byre
C
27

In Chrome there is a flag with which you can start the browser. If you start the browser with this flag, you can do what you want:

--disable-web-security
Consecutive answered 17/10, 2012 at 4:37 Comment(2)
@Zachary K: Is this for Chromium only? Maybe no longer possible? productforums.google.com/forum/#!topic/chrome/r-QGNb0MACoBaucom
In Chrome 65.0.3325.181: “You are using an unsupported command-line flag: --disable-web-security.” The XSS auditor is not disabled. --disable-xss-auditor is still supported and works.Single
H
22

For the convenience of those who don't know....

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --args --disable-web-security

Use the above as the path of the shortcut

Hooknosed answered 8/7, 2013 at 14:45 Comment(1)
This will only work when all chrome instances are closed before starting chrome with these commands. See #17679899Floreated
C
17

If you only wan't to disable XSS you should use --disable-xss-auditor. A complete argument would be something like:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor

Make sure all chrome.exe processes are killed before running the command or it will have no effect. You can also pass more arguments if you wish, for example I often use a proxy argument because I don't want to enable a proxy for my entire system.

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor --proxy-server=127.0.0.1:8080

Central answered 12/11, 2015 at 11:10 Comment(0)
T
2

You can redirect the user to another local web page when the form is submitted and print the infected data. Chrome will not detect that.

Hint: You can use sessions / cookies to store the infected data between the 2 pages.

Example in PHP:

index.php

<?php    
    setcookie('infected', $_POST['infected']);

    if($_POST['infected'])
        header('location: show.php');
?>

<form action="index.php" method="POST" />
    <p>
        Username: <input type="text" name="infected" />
        <input type="submit" value="Add Comment" />
    </p>
</form>

show.php

echo $_COOKIE['data'];
Tartuffe answered 3/6, 2017 at 19:58 Comment(0)
B
1

Is use of disable argument temporary? In limited testing it seems permanent. XSS-Auditor remains disabled in Chrome windows started without any xss-auditor argument. To turn back on use "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --enable-xss-auditor

Blimp answered 12/5, 2017 at 14:3 Comment(0)
B
-1

I know this doesn't fix it but it may just need a message on the sites for now until Google fixes it. something like, "If using Chrome you may experience....". I found that even though I get the error screen that the content does in fact go in the database. I just hit back to get back into the site. Then go to the dashboard and it is there. Pain in the ass but is a work around that doesn't need to set sites back.

Blimp answered 7/4, 2017 at 16:7 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.