No announcement yet.

How-To - Disable Browser Security Features

  • Time
  • Show
Clear All
new posts

  • How-To - Disable Browser Security Features

    Even though some browsers are actually build for penetration testing, some may find it better to use their favorite browser. One issue with this is that modern browsers have some security features and injection protection that will most likely not be productive for a penetration tester. The browser may block an SQLi injection or XSS attack that would otherwise have worked. During a penetration test this can be important while in the process of discovering security issues on the website being tested because you may miss a vulnerability that a malicious attack may find. So I included a small hint on how to disable most or all the security features build in to these popular browsers.

    The Chromium browser has to be started with an argument to disable XSS protection:
    # chromium --disable-web-security
    In Google Chrome you can either disable some or all of the built-in protections by adding an argument to the program:
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --args --disable-web-security
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-xss-auditor
    In Internet Explorer you will have to modify some settings. I don't know if there are other ways of doing this:
    IE -> Internet Options->Security->Select Internet & press "Custom Level…"->Disable "Enable XSS filter"
    In Firefox you can enable the execution of javascript from the address bar by changing below setting:
    Firefox - type "about:config" in the address bar -> Search "browser.urlbar.filter.javascript" -> Select "False"
    Yes, I assume some operating systems that may not be correct, meaning I assume you run Chrome on the Microsoft Windows operating system even though that may not be the case.
    Certified Security Geek