Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/dylanon/xss-csp-demo

Cross-site scripting demo to demonstrate Content-Security-Policy
https://github.com/dylanon/xss-csp-demo

Last synced: about 1 month ago
JSON representation

Cross-site scripting demo to demonstrate Content-Security-Policy

Awesome Lists containing this project

README 

        
# Cross-Site Scripting & Content Security Policy Demo



## Setup



Make sure you're using Node.js 10.x or greater.



Open a terminal and navigate to the project's root directory.



1. `yarn install`

2. `yarn start:server`

3. In a separate terminal (same directory): `yarn start:client`

4. In a separate terminal (same directory): `yarn start:evil`



## Demonstrate the vulnerability



1. Open the chat app at [http://localhost:4000?user=Bob](http://localhost:4000?user=Bob) in your browser window.

2. Open the chat app at [http://localhost:4000?user=Alice](http://localhost:4000?user=Alice) in an incognito/private window (to make sure cookies are not shared between the two windows).

3. Paste the following malicious message in the chat and press "Send":



```

How's it going? 

```



4. Check the terminal that's running `evilServer.js` - You'll see both the sender (attacker) and recipient's cookies and localStorage have been stolen and logged!



## Demonstrate the fix with Content Security Policy



1. Close both chat app windows.

2. Open fixed versions at [http://localhost:4000/secure?user=Bob](http://localhost:4000/secure?user=Bob) in your browser window and [http://localhost:4000/secure?user=Alice](http://localhost:4000/secure?user=Alice) in an incognito/private window.

3. Send the malicious message again.

4. Note that although the malicious message was delivered to the recipient, the browser blocked the script execution, image loading, and inline styles. Checking the terminal running `evilServer.js` reveals that the attacker didn't receive any information.