Tweet
Even though some browsers are actually build for penetration testing, some may find it better to use their favorite browser. One issue with this is that modern browsers have some security features and injection protection that will most likely not be productive for a penetration tester. The browser may block an SQLi injection or XSS attack that would otherwise have worked. During a penetration test this can be important while in the process of discovering security issues on the website being tested because you may miss a vulnerability that a malicious attack may find. So I included a small hint on how to disable most or all the security features build in to these popular browsers.
The Chromium browser has to be started with an argument to disable XSS protection:
In Google Chrome you can either disable some or all of the built-in protections by adding an argument to the program:
In Internet Explorer you will have to modify some settings. I don't know if there are other ways of doing this:
In Firefox you can enable the execution of javascript from the address bar by changing below setting:
Yes, I assume some operating systems that may not be correct, meaning I assume you run Chrome on the Microsoft Windows operating system even though that may not be the case.
The Chromium browser has to be started with an argument to disable XSS protection:
# chromium --disable-web-security
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --args --disable-web-security
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor
IE -> Internet Options->Security->Select Internet & press "Custom Level…"->Disable "Enable XSS filter"
Firefox - type "about:config" in the address bar -> Search "browser.urlbar.filter.javascript" -> Select "False"