CSP demo

CSP is active

This page uses the following CSP:

Content-Security-Policy: default-src 'self'

Payload

Server executes the below PHP code:

		if (isset($_POST['xss']) && $_POST['xss'] === 'alert(1)') {
			echo "<p onclick=" . htmlentities($_POST['xss']) . ">click me!</p>";
		}
	

Leading to an obvious XSS

BUT, thanks to CSP, the XSS payload won't run. You'll see a message in your browser console.

Result

Retry

Retry without CSP

Check the other showcases