How to temporarily disable XSS protection in modern browsers for testing?
Solution 1
In Chrome there is a flag with which you can start the browser. If you start the browser with this flag, you can do what you want:
--disable-web-security
Solution 2
For the convenience of those who don't know....
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --args --disable-web-security
Use the above as the path of the shortcut
Solution 3
If you only wan't to disable XSS you should use --disable-xss-auditor
. A complete argument would be something like:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor
Make sure all chrome.exe processes are killed before running the command or it will have no effect. You can also pass more arguments if you wish, for example I often use a proxy argument because I don't want to enable a proxy for my entire system.
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor --proxy-server=127.0.0.1:8080
Solution 4
You can redirect the user to another local web page when the form is submitted and print the infected data. Chrome will not detect that.
Hint: You can use sessions / cookies to store the infected data between the 2 pages.
Example in PHP:
index.php
<?php
setcookie('infected', $_POST['infected']);
if($_POST['infected'])
header('location: show.php');
?>
<form action="index.php" method="POST" />
<p>
Username: <input type="text" name="infected" />
<input type="submit" value="Add Comment" />
</p>
</form>
show.php
echo $_COOKIE['data'];
Solution 5
Is use of disable argument temporary? In limited testing it seems permanent. XSS-Auditor remains disabled in Chrome windows started without any xss-auditor argument. To turn back on use "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --enable-xss-auditor
richardkmiller
Building software for genealogists at www.goldiemay.com.
Updated on July 09, 2022Comments
-
richardkmiller almost 2 years
Is it possible to temporarily disable the XSS protection found in modern browsers for testing purposes?
I'm trying to explain to a co-worker what happens when one sends this to an XSS-vulnerable web form:
<script>alert("Danger");</script>
However, it appears that both Chrome and Firefox are preventing the XSS popup. Can I disable this protection so I can fully see the results of my actions?
-
richardkmiller over 11 years@Zachary K: Is this for Chromium only? Maybe no longer possible? productforums.google.com/forum/#!topic/chrome/r-QGNb0MACo
-
Timo002 over 10 yearsThis will only work when all chrome instances are closed before starting chrome with these commands. See stackoverflow.com/questions/17679399/…
-
Franklin Yu about 6 yearsIn Chrome 65.0.3325.181: “You are using an unsupported command-line flag: --disable-web-security.” The XSS auditor is not disabled.
--disable-xss-auditor
is still supported and works.