Vulnerable Page

With Optional Content Security Policy and "X-XSS-Protection" Header(s)

(see tables at the bottom of this page)

!!!Fixed by MS14-080!!!

This demo works on pre-MS14-080 Internet Explorer only.

The December 2014 "Patch Tuesday" update contained a fix for this injection type, and it no longer works on up-to-date versions of Internet Explorer

These should still work on Internet Explorer 8 on Windows XP and Internet Explorer 9/10/11 browsers that have not been updated with MS14-080


If you have your own external JavaScript (.js) or plain text file you wish to use, enter its URL/URI here:


The injection lands on a vulnerable page. The injected JavaScript would normally execute when the link is clicked.

Vulnerable Page

Source of "vulnPage.php"

Try this partially decimal-encoded injection:

Try this partially hexadecimal-encoded injection:

Try this partially double-URL-encoded injection:

Try this partially named-entity-encoded injection (Internet Explorer 10 & 11 only due to use of ".". For earlier versions replace all instances of "%26period%3B" with "%252E"):




Table 1 of 2: To add the Content Security Policy header of choice, refer to the following table:

Content Security Policy Options
CSP header(s) desired HTTP Response Header(s) Query string parameter/value pair Add to injection
None N/A N/A
All 3 CSP Headers Content-Security-Policy: script-src 'self';
X-Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
csp=0
Just the Official CSP Header (Chrome 25+, Firefox 23+, Opera 19+, "Spartan"/Edge") Content-Security-Policy: script-src 'self'; csp=1
Just the header recognized by Internet Explorer 10 & 11 X-Content-Security-Policy: script-src 'self'; csp=2
Just the header recognized by Chrome 14 through 24 & Safari 6+ X-Webkit-CSP: script-src 'self'; csp=3
Both the Official and Internet Explorer-recognized headers Content-Security-Policy: script-src 'self';
X-Content-Security-Policy: script-src 'self';
csp=4
Both the Official and Chrome 14 through 24 & Safari 6+-recognized headers Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
csp=5
Both the Internet Explorer-recognized and Chrome 14 through 24 & Safari 6+-recognized headers X-Content-Security-Policy: script-src 'self';
X-Webkit-CSP: script-src 'self';
csp=6


Table 2 of 2: To add the X-XSS-Protection header of choice, refer to the following table:

X-XSS-Protection Options
X-XSS-Protection desired HTTP Response Header Query string parameter/value pair Add to injection
None N/A N/A
Disable XSS protection X-XSS-Protection: 0 xph=0
Enable XSS protection X-XSS-Protection: 1 xph=1
Enable XSS protection, block rendering of the page X-XSS-Protection: 1; mode=block xph=2

Back to main page