0

I'm trying to test XSS vulnerabilities on some sites for a security class and I can't be able to figure out why the script injected in the following page doesn't get executed. Basically, I insert some values in an input form and the server replies with this response

<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" conent="IE-edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>NECSTFeedback</title>
    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
    <link href="/static/css.css" rel="stylesheet">
</head>
<body>
<div class="container">
    <div class="header clearfix">
        <h3 class="text-muted">The NECSTFeedback</h3>
    </div>

<h1>Report</h1>
<p><b>Subject: </b>sk</p>
<p><b>Sender: </b>as</p>
<div class="rpt-content">
    <p><b>Message: </b></p>
               <!-- This is my script -->
               <script> alert('Hi')</script>
</div>

<p><b>Attachment: </b><a href="/attachment/58224c5bd967459c925a88eb21799384"></a></p>

</div>
</body>
</html>

I have the suspicion that it's because of the CSP header, but I'm not too sure. Btw, here is a list of the headers.

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 25 May 2016 19:18:31 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Security-Policy: default-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/; font-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/
Improve this question
1
  • Well, yes, have you looked up how CSP works? You should be able to find out. Commented May 25, 2016 at 19:27

1 Answer 1

Reset to default
2

I have the suspicion that it's because of the CSP header, but I'm not too sure.

Content-Security-Policy: default-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/; font-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/

Yes indeed.

The content security policy spec says here:

If 'unsafe-inline' is not in the list of allowed script sources […]: Whenever the user agent would execute an inline script from a <script> element […], instead the user agent MUST NOT execute script […].

That self in the header does definitely disallow inline scripts.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I see now, I think I skipped the 'unsafe-inline' directive at all. So, because the default-src 'self', basically the only way to have a javascript code executed in this page is from a source file coming from the same domain as the server itself, am I right?
@tigerjack89 Yes, exactly.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.