Source of "vulnPage.php"


<?php
// File Name: vulnPage.php
// Author: R. T. Waysea
// Creation Date: October 20th, 2014

// Add the "X-Frame-Options" header.
header( "X-Frame-Options: SAMEORIGIN" , true );

// Remove the "X-Powered-By" header.
header_remove( "X-Powered-By" );

// Check to see if there is an "xss" parameter in the request URL query string.
if( isset( $_GET['xss'] ) ) {

  // There is an "xss" parameter, proceed to grab its value. The "$_GET[]"
  // operation automatically performs a round of URL/URI-decoding.
  $injection = $_GET['xss'];

} else {

  // There is no "xss" parameter, show a simple message stating so.
  $injection = "No XSS Here!";

}

// Check to see if there is a "csp" parameter in the request URL query string.
if( isset( $_GET['csp'] ) ) {

  // There is a "csp" parameter, proceed to grab its value.
  $csp = $_GET['csp'];

  // Based on the value of $csp, determine what header(s) to return.
  switch( $csp ) {

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 0: // Add all CSP headers.

      // Official Content Security Policy 1.0 header
      header( "Content-Security-Policy: script-src 'self';" , true );

      // Header recognized by Internet Explorer 10 & 11
      header( "X-Content-Security-Policy: script-src 'self';" , true );

      // Header recognized by Chrome 14 through 24 & Safari 6+
      header( "X-Webkit-CSP: script-src 'self';" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 1: // Add the official CSP header

      // Official Content Security Policy 1.0 header
      header( "Content-Security-Policy: script-src 'self';" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 2: // Add the header recognized by Internet Explorer 10 & 11

      // Header recognized by Internet Explorer 10 & 11
      header( "X-Content-Security-Policy: script-src 'self';" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 3: // Add the header recognized by Chrome 14 through 24 & Safari 6+

      // Header recognized by Chrome 14 through 24 & Safari 6+
      header( "X-Webkit-CSP: script-src 'self';" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 4: // Add both the Official and Internet Explorer-recognized headers

      // Official Content Security Policy 1.0 header
      header( "Content-Security-Policy: script-src 'self';" , true );

      // Header recognized by Internet Explorer 10 & 11
      header( "X-Content-Security-Policy: script-src 'self';" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 5: // Add both the Official and Chrome 14 through 24 & Safari 6+
            // headers

      // Official Content Security Policy 1.0 header
      header( "Content-Security-Policy: script-src 'self';" , true );

      // Header recognized by Chrome 14+ & Safari 6+
      header( "X-Webkit-CSP: script-src 'self';" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 6: // Add both the Internet Explorer-recognized and Chrome 14 through
            // 24 & Safari 6+ headers

      // Header recognized by Internet Explorer 10 & 11
      header( "X-Content-Security-Policy: script-src 'self';" , true );

      // Header recognized by Chrome 14 through 24 & Safari 6+
      header( "X-Webkit-CSP: script-src 'self';" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    default: // As the default action, add the official CSP header

      // Official Content Security Policy 1.0 header
      header( "Content-Security-Policy: script-src 'self';" , true );

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  } // End of switch-statement

} // End of if-statement

// Check to see if there is a "xph" parameter in the request URL query string.
if( isset( $_GET['xph'] ) ) {

  // There is a "xph" parameter, proceed to grab its value.
  $xph = $_GET['xph'];

  // Based on the value of $xph, determine what header to return.
  switch( $xph ) {

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 0: // Disable XSS protection.

      // Set the "X-XSS-Protection" header with the "0" value.
      header( "X-XSS-Protection: 0" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 1: // Enable XSS protection.

      // Set the "X-XSS-Protection" header with the "1" value.
      header( "X-XSS-Protection: 1" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    case 2: // Enable XSS protection, block rendering of the page.

      // Set the "X-XSS-Protection" header with the "1; mode=block" value.
      header( "X-XSS-Protection: 1; mode=block" , true );

      break;

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    default: // As the default action, enable XSS protection.

      // Set the "X-XSS-Protection" header with the "1" value.
      header( "X-XSS-Protection: 1" , true );

    // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  } // End of switch-statement

} // End of if-statement

// With the Content Security Policy and/or X-XSS-Protection header(s) (if any)
// set, return the response body with the "$injection" parameter value.
echo <<<_END
<!DOCTYPE html>
<html lang="en">
  <head>
    <title>Vulnerable Page</title>
    <meta charset="UTF-8">
    <meta name="author" content="R. T. Waysea">
    <meta name="generator" content="R. T. Waysea's Twisted Imagination">
  </head>
  <body style="background-color: #b0c4de;">
    <h1>Vulnerable Page</h1>
    <p>Welcome to this page!</p>
    <p>$injection</p>
    <p>Don't click any links!</p>
  </body>
</html>
_END;
?>