Is it possible to temporarily disable the XSS protection found in modern browsers for testing purposes?
I'm trying to explain to a co-worker what happens when one sends this to an XSS-vulnerable web form:
<script>alert("Danger");</script>
However, it appears that both Chrome and Firefox are preventing the XSS popup. Can I disable this protection so I can fully see the results of my actions?
In Chrome there is a flag with which you can start the browser. If you start the browser with this flag, you can do what you want:
--disable-web-security
For the convenience of those who don't know....
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --args --disable-web-security
Use the above as the path of the shortcut
If you only wan't to disable XSS you should use --disable-xss-auditor. A complete argument would be something like:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor
Make sure all chrome.exe processes are killed before running the command or it will have no effect. You can also pass more arguments if you wish, for example I often use a proxy argument because I don't want to enable a proxy for my entire system.
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor --proxy-server=127.0.0.1:8080
You can redirect the user to another local web page when the form is submitted and print the infected data. Chrome will not detect that.
Hint: You can use sessions / cookies to store the infected data between the 2 pages.
Example in PHP:
index.php
<?php
setcookie('infected', $_POST['infected']);
if($_POST['infected'])
header('location: show.php');
?>
<form action="index.php" method="POST" />
<p>
Username: <input type="text" name="infected" />
<input type="submit" value="Add Comment" />
</p>
</form>
show.php
echo $_COOKIE['data'];
Is use of disable argument temporary? In limited testing it seems permanent. XSS-Auditor remains disabled in Chrome windows started without any xss-auditor argument. To turn back on use "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --enable-xss-auditor
I know this doesn't fix it but it may just need a message on the sites for now until Google fixes it. something like, "If using Chrome you may experience....". I found that even though I get the error screen that the content does in fact go in the database. I just hit back to get back into the site. Then go to the dashboard and it is there. Pain in the ass but is a work around that doesn't need to set sites back.
You do not need to disable XSS protection.
If you cannot load your page, it is because your "testing" has discovered a fault you need to fix.
If you have no faults in your page, you will not be blocked by XSS.
Fix your HTML so it properly "escapes" all input data from the URL, and you will not see XSS warnings.
It is better to not disable this, because chrome is better at looking through your HTML source for those errors than your eyeballs are!
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 够拽才男人 的文章《How to temporarily disable XSS protection in moder》','https://www.manongdao.com/article-536975.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}