How to temporarily disable XSS protection in modern browsers for testing?

Question

Is it possible to temporarily disable the XSS protection found in modern browsers for testing purposes?

I'm trying to explain to a co-worker what happens when one sends this to an XSS-vulnerable web form:

<script>alert("Danger");</script>

However, it appears that both Chrome and Firefox are preventing the XSS popup. Can I disable this protection so I can fully see the results of my actions?

Answer 1

In Chrome there is a flag with which you can start the browser. If you start the browser with this flag, you can do what you want:

--disable-web-security 

Answer 2

For the convenience of those who don't know....

"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" --args --disable-web-security

Use the above as the path of the shortcut

Answer 3

If you only wan't to disable XSS you should use --disable-xss-auditor . A complete argument would be something like:

"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" --disable-xss-auditor

Make sure all chrome.exe processes are killed before running the command or it will have no effect. You can also pass more arguments if you wish, for example I often use a proxy argument because I don't want to enable a proxy for my entire system.

"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" --disable-xss-auditor --proxy-server=127.0.0.1:8080

Answer 4

You can redirect the user to another local web page when the form is submitted and print the infected data. Chrome will not detect that.

Hint: You can use sessions / cookies to store the infected data between the 2 pages.

Example in PHP:

index.php

<?php    
    setcookie('infected', $_POST['infected']);

    if($_POST['infected'])
        header('location: show.php');
?>

<form action="index.php" method="POST" />
    <p>
        Username: <input type="text" name="infected" />
        <input type="submit" value="Add Comment" />
    </p>
</form>

show.php

echo $_COOKIE['data'];

Answer 5

Is use of disable argument temporary? In limited testing it seems permanent. XSS-Auditor remains disabled in Chrome windows started without any xss-auditor argument. To turn back on use "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" --enable-xss-auditor

Answer 6

I know this doesn't fix it but it may just need a message on the sites for now until Google fixes it. something like, "If using Chrome you may experience....". I found that even though I get the error screen that the content does in fact go in the database. I just hit back to get back into the site. Then go to the dashboard and it is there. Pain in the ass but is a work around that doesn't need to set sites back.

Answer 7

You do not need to disable XSS protection.

If you cannot load your page, it is because your "testing" has discovered a fault you need to fix.

If you have no faults in your page, you will not be blocked by XSS.

Fix your HTML so it properly "escapes" all input data from the URL, and you will not see XSS warnings.

It is better to not disable this, because chrome is better at looking through your HTML source for those errors than your eyeballs are!