Rank: Member Groups: Member
Joined: 2/18/2020 Posts: 10
|
Hi
When I use chrome for the XSS attack test to inject a javascript alert, it works well and shows me the alert message.
But using EO, it does not happen and gives me this error in console:
The XSS Auditor refused to execute a script in 'target' because its source code was found withing requests. The auditor was enabled as the server did not send as 'X-XSS-Protection' header.
I tried to set an 'X-XSS-Protection' header and set its value to false, but also no success.
How to get it to work like Chrome?
Another problem is that When I use a tabbed browser I can find the injected XSS in the page source (HTML), but I use it without a tabbed browser and try to GetHtml(), I can not find the injected XSS inside the page source.
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi,
I am not sure if I understood you correctly. XSS attack does not suppose to work. Allowing it would be an vulnerability. Are you saying that Chrome has an vulnerability and you want us to duplicate that vulnerability?
Page source and GetHtml() are two different things. Page source is the HTML you initially get from the server. GetHtml is the current HTML. So for example, if you have an HTML file with nothing but a small piece of JavaScript code that generates a huge table with 1000 rows, then page source will show you the JavaScript code, and GetHtml will show you the table with 1000 rows.
Thanks!
|