label | el | code | ran |
---|---|---|---|
Inline eval |
Original before eval-1 |
|
|
Eval from external |
Original before eval-2 |
js:
generated.js
|
|
Eval from with nonce |
Original before eval-nonce |
js:
generated.js
|
|
Element with style attribute |
Style in element will make it purple |
|
|
Style with nonce |
Style makes this blue |
|
|
Style without nonce |
Style will make this red |
|
|
Style from stylesheet |
Style will make this aqua |
|
|
Style from stylesheet |
Secrets? |
|
|
Inline js without nonce |
Inline JavaScript w/o nonce will change this color to green |
|
|
Inline js with nonce |
Inline JavaScript w/ nonce will change this color to orange |
|
|
Remote stylesheet | Font awesome icon, remote style |
|
|
Remote stylesheet & fonts |
Should be a fancy font if google fonts loaded |
|
|
Remote stylesheet & fonts |
Should be fancy font if @import works in css for google fonts |
|
|
Youtube embed with script |
|
||
Youtube embed (origin) |
|
||
Vimeo embed |
|
||
Local iframe with xss |
Will change if xss triggers |
|
|
Local video |
|
||
remote video |
|
||
Remote image |
|
||
Local image |
|
||
Local image |
|
||
image dataurl |
|
||
image blob |
|
||
Local form 1 |
|
||
Local form 2 |
|
||
Remote form 1 |
|
||
Remote form 2 |
|
||
Local AJAX call |
Will change once AJAX is done |
js:
generated.js
|
|
Remote AJAX call to stripe |
js:
generated.js
|
||
Twitter widget | Follow @dandr3ss |
|
|
Local audio | Source |
|
|
Local embed |
|
||
Local embed svg |
|
||
Load jquery from cloudflare |
This changes if cloudflare jquery loads |
js:
generated.js
|
|
Script from jsdelivr |
This changes if jsdelivr d3 loads |
js:
generated.js
|
|
Target blank | Tabby |
|
|
Target for another domain | Ebay.com |
|
|
A local webworker |
Waiting for worker ... |
|
|
violator | directive | line | col | sample |
---|