Bypass XSS Protection in PHP #571
Comments
|
Hi @lycoxz. That's a complicated question and there's no easy answers. It depends on the specific case you're testing. The most common case for XSS protection is that response headers (e.g. content-security policy) for the page are being used to restrict the scripts running within the given site. You can disable these for testing with HTTP Toolkit (e.g. with a 'Transform' mock rule that updates the "content-security-policy" header to "") but note that HTTP Toolkit can only help you with local testing like this - it doesn't affect the XSS protection on the real site at all. |
|
how to input in php curl " content-security-policy" and what is this
Pada Jum, 22 Mar 2024 pukul 16.23 Tim Perry ***@***.***>
menulis:
… Hi @lycoxz <https://github.com/lycoxz>. That's a complicated question and
there's no easy answers. It depends on the specific case you're testing.
The most common case for XSS protection is that response headers (e.g.
content-security policy) for the page are being used to restrict the
scripts running within the given site. You can disable these for testing
with HTTP Toolkit (e.g. with a 'Transform' mock rule that updates the
"content-security-policy" header to "") but note that HTTP Toolkit can only
help you with local testing like this - it doesn't affect the XSS
protection on the real site at all.
—
Reply to this email directly, view it on GitHub
<#571 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUHSRNL23YSOM3JCOJTTP5DYZPZ73AVCNFSM6AAAAABFCVTXZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJUGY4DAMZSGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Content security policy is a response header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy. The server sends it to the web browser, and it defines some rules about what scripts can run in the page and what they can do. That makes XSS much more difficult, since it blocks loading scripts or sending data elsewhere (among other things). In terms of PHP & curl I'm not really sure what you're asking. It's a response header, not a request header. I'm happy to give some pointers, but I think this sounds like a more general problem than an HTTP Toolkit question, so I can't handle this for you, and to share any more info I think I'll need a lot more context - it would be helpful if you could explain in much more detail what you're trying to do and what you've tried so far. |
|
Thanks for your explanation.
I don't know what curl is used for in the http toolkit, I tried
sending a request in another application to make the send request get
xss protection but when I send a request in the http toolkit it works
as if it will bypass the xss protection, please help to implement it
in php curl
Pada Jum, 22 Mar 2024 pukul 19.53 Tim Perry ***@***.***>
menulis:
… Content security policy is a response header:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.
The server sends it to the web browser, and it defines some rules about
what scripts can run in the page and what they can do. That makes XSS much
more difficult, since it blocks loading scripts or sending data elsewhere
(among other things).
In terms of PHP & curl I'm not really sure what you're asking. It's a
response header, not a request header.
I'm happy to give some pointers, but I think this sounds like a more
general problem than an HTTP Toolkit question, so I can't handle this for
you, and to share any more info I think I'll need a lot more context - it
would be helpful if you could explain in much more detail what you're
trying to do and what you've tried so far.
—
Reply to this email directly, view it on GitHub
<#571 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUHSRNISBN6OVTMTDJJ6RITYZQSTDAVCNFSM6AAAAABFCVTXZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJVGA2DEMBQHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Thanks for your reply.
I don't know what curl is used for in the http toolkit, I tried sending a
request in another application to make the send request get xss protection
but when I send a request in the http toolkit it works as if it will bypass
the xss protection, please help to implement it in php curl '(
Pada Jum, 22 Mar 2024 pukul 19.53 Tim Perry ***@***.***>
menulis:
… Content security policy is a response header:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.
The server sends it to the web browser, and it defines some rules about
what scripts can run in the page and what they can do. That makes XSS much
more difficult, since it blocks loading scripts or sending data elsewhere
(among other things).
In terms of PHP & curl I'm not really sure what you're asking. It's a
response header, not a request header.
I'm happy to give some pointers, but I think this sounds like a more
general problem than an HTTP Toolkit question, so I can't handle this for
you, and to share any more info I think I'll need a lot more context - it
would be helpful if you could explain in much more detail what you're
trying to do and what you've tried so far.
—
Reply to this email directly, view it on GitHub
<#571 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUHSRNISBN6OVTMTDJJ6RITYZQSTDAVCNFSM6AAAAABFCVTXZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJVGA2DEMBQHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Curl isn't used in HTTP Toolkit. This question doesn't really make any sense I'm afraid. From your description, it doesn't sound like you're talking about XSS at all - XSS only exists in browsers, and it's not something you can control with different types of requests. Can you explain the full context of what you're trying to do, what you're currently doing (in detail) and what's currently happening? It would be useful if you could also share all the relevant code you're running and screenshots of the issues you're seeing. |
Please How to Bypass XSS Protection in PHP
Does this affect you too? Click below and add a 👍 to vote for this and help decide where HTTP Toolkit goes next, or go vote on the other most popular ideas so far.
The text was updated successfully, but these errors were encountered: