38

Is it possible to temporarily disable the XSS protection found in modern browsers for testing purposes?

I'm trying to explain to a co-worker what happens when one sends this to an XSS-vulnerable web form:

<script>alert("Danger");</script>

However, it appears that both Chrome and Firefox are preventing the XSS popup. Can I disable this protection so I can fully see the results of my actions?

richardkmiller
  • 2,902
  • 3
  • 31
  • 29
  • 2
    I don't think any browser would block that script in case it really is served as part of the html sent from the server. – Delta Oct 17 '12 at 04:20
  • 4
    @Delta the browser usually blocks it if it sent from the user and also returned by the server, not if it is just sent from the server. e.g. `MyPage.aspx?id= – SilverlightFox Oct 18 '12 at 11:13

6 Answers6

26

In Chrome there is a flag with which you can start the browser. If you start the browser with this flag, you can do what you want:

--disable-web-security
Dave Jensen
  • 4,574
  • 1
  • 40
  • 45
Zachary K
  • 3,205
  • 1
  • 29
  • 36
  • 6
    @Zachary K: Is this for Chromium only? Maybe no longer possible? http://productforums.google.com/forum/#!topic/chrome/r-QGNb0MACo – richardkmiller Oct 31 '12 at 22:57
  • 5
    In Chrome 65.0.3325.181: “*You are using an unsupported command-line flag: --disable-web-security.*” The XSS auditor is *not* disabled. `--disable-xss-auditor` is still supported and works. – Franklin Yu Apr 02 '18 at 14:56
22

For the convenience of those who don't know....

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --args --disable-web-security

Use the above as the path of the shortcut

Shawn Sim
  • 545
  • 1
  • 5
  • 17
  • 10
    This will only work when all chrome instances are closed before starting chrome with these commands. See http://stackoverflow.com/questions/17679399/does-disable-web-security-work-in-chrome-anymore – Timo002 Oct 29 '13 at 11:08
17

If you only wan't to disable XSS you should use --disable-xss-auditor. A complete argument would be something like:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor

Make sure all chrome.exe processes are killed before running the command or it will have no effect. You can also pass more arguments if you wish, for example I often use a proxy argument because I don't want to enable a proxy for my entire system.

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor --proxy-server=127.0.0.1:8080

Ogglas
  • 62,132
  • 37
  • 328
  • 418
2

You can redirect the user to another local web page when the form is submitted and print the infected data. Chrome will not detect that.

Hint: You can use sessions / cookies to store the infected data between the 2 pages.

Example in PHP:

index.php

<?php    
    setcookie('infected', $_POST['infected']);

    if($_POST['infected'])
        header('location: show.php');
?>

<form action="index.php" method="POST" />
    <p>
        Username: <input type="text" name="infected" />
        <input type="submit" value="Add Comment" />
    </p>
</form>

show.php

echo $_COOKIE['data'];
Ahmed Sonbaty
  • 97
  • 1
  • 9
1

Is use of disable argument temporary? In limited testing it seems permanent. XSS-Auditor remains disabled in Chrome windows started without any xss-auditor argument. To turn back on use "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --enable-xss-auditor

Eric
  • 81
  • 4
-1

I know this doesn't fix it but it may just need a message on the sites for now until Google fixes it. something like, "If using Chrome you may experience....". I found that even though I get the error screen that the content does in fact go in the database. I just hit back to get back into the site. Then go to the dashboard and it is there. Pain in the ass but is a work around that doesn't need to set sites back.

Eric
  • 9
  • 1