Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Crazy need to ENABLE cross site scripting

Yes, I need to enable cross site scripting for internal testing of an application I am working on. I would have used Chrome's disable-xss-auditor or disable-web-security switches, but it looks like they are no longer included in the chrome build:

http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc

What I am basically trying to achieve is to have a javascript application running locally on pages served by Apache (also running locally) be allowed to run scripts from a resource running on another server on our network.

Failing a way to enable xss for Firefox, Chrome, or my least favourite - IE, would there be a way to run some kind of proxy process to modify headers to allow the xss to happen? Any quick way to use Apache mod rewrite or some such to do this?

Again, this is for testing only. In production, all these scripts run from the same server, so there isn't even a need to sign them, but during development and testing, it is much easier to work only on the parts of the application you are concerned with and not have to run the rest that requires an full-on application server setup.

like image 727
ogradyjd Avatar asked Mar 22 '12 12:03

ogradyjd


2 Answers

What are asking for isn't cross-site scripting (which is a type of security vulnerability in which user input (e.g. from the URL) is injected into the page in such a way that third party scripts could be added via a link).

If you just want to run a script on a different server, then just use an absolute URI.

<script src="http://example.com/foo.js"></script>

If you need to perform Ajax requests to a remote server, use CORS or run a proxy on the current origin.

Again, this is for testing only

Just for testing, look at Charles Proxy. It's Map Remote feature allows you to (transparently) forward some requests to a remote server (based on wild card URL matching).

like image 67
Quentin Avatar answered Oct 08 '22 17:10

Quentin


What you need is just a little passthrough service running on the first server that passes requests over to the second server, and returns the results it gets back from the second server.

You don't say what language the server side of your application is written in or what kind of data is passed to or returned from your service, so I can't be more specific than that, but it really should be about 15 lines of code to write the passthrough service.

like image 40
dj_segfault Avatar answered Oct 08 '22 17:10

dj_segfault