Welcome Guest Search | Active Topics | Sign In | Register

XSS Protection Options
Red Olive
Posted: Tuesday, May 12, 2020 3:30:19 AM
Rank: Member
Groups: Member

Joined: 2/18/2020
Posts: 10
Hi

When I use chrome for the XSS attack test to inject a javascript alert, it works well and shows me the alert message.

But using EO, it does not happen and gives me this error in console:

The XSS Auditor refused to execute a script in 'target' because its source code was found withing requests. The auditor was enabled as the server did not send as 'X-XSS-Protection' header.

I tried to set an 'X-XSS-Protection' header and set its value to false, but also no success.

How to get it to work like Chrome?

Another problem is that When I use a tabbed browser I can find the injected XSS in the page source (HTML), but I use it without a tabbed browser and try to GetHtml(), I can not find the injected XSS inside the page source.
eo_support
Posted: Tuesday, May 12, 2020 10:03:22 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,217
Hi,

I am not sure if I understood you correctly. XSS attack does not suppose to work. Allowing it would be an vulnerability. Are you saying that Chrome has an vulnerability and you want us to duplicate that vulnerability?

Page source and GetHtml() are two different things. Page source is the HTML you initially get from the server. GetHtml is the current HTML. So for example, if you have an HTML file with nothing but a small piece of JavaScript code that generates a huge table with 1000 rows, then page source will show you the JavaScript code, and GetHtml will show you the table with 1000 rows.

Thanks!


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.