FakeOrca - Static Test Page (Special)

URL: https://sample.clas.ufl.edu/iframe-url-test

URL: http://www.httpforever.com/

URL: https://www.nocdn.fakeorca.com/static

Protection:
  • Preferred configuration: Use X-Frame-Options: DENY to block all framing, or SAMEORIGIN to allow framing only from the same domain. Prefer frame-ancestors in CSP for finer control.
  • Things to avoid: Do not omit the header; avoid ALLOWALL or permissive values; do not rely solely on JavaScript to prevent clickjacking.

❌ This test is not applicable. This static page does not handle file uploads or serve user-generated content, so there is no risk of MIME type sniffing. This protection is relevant when browsers might incorrectly interpret a file's content type, which can lead to security issues if the file is treated as executable. In this context, all content types are static and controlled by the server.

Protection:
  • Preferred configuration: Set X-Content-Type-Options: nosniff to force the browser to respect the declared Content-Type and prevent MIME-sniffing.
  • Things to avoid: Do not omit the header when serving user-uploaded files or dynamic content; avoid incorrect or misleading Content-Type values that could be exploited.

Explore CSP misconfigurations and their security implications. This static page demonstrates three core exploit types.

CSP-A: Inline Script Injection

Unsanitized content from the URL (e.g., hash or query string) is injected directly into the DOM and executed as JavaScript. This is DOM-based XSS — when CSP allows unsafe-inline, inline scripts can execute arbitrary code.

How attackers identify: Inspect page source for <script> tags without src; check CSP response header for unsafe-inline; test if URL hash or query parameters are reflected in DOM or script context; use browser DevTools to verify inline script execution.

  • Exploit URL: https://www.nocdn.fakeorca.com/static#<script>alert('XSS Successful!')</script>
✅ Applicable

CSP-B: External Script Injection

Attacker executes malicious JavaScript by exploiting how the website loads external scripts. This includes: (1) trusted third-party compromise (CDN/analytics), and (2) overly permissive CSP (script-src *).

How attackers identify: Inspect response headers for Content-Security-Policy; look for script-src * or broad allowlists; enumerate <script src="..."> tags and their domains; test dynamic script loading via createElement or innerHTML; check for missing or weak CSP.

  • Trusted 3rd party compromise: simulate compromised CDN script
  • Overly permissive CSP: allow scripts from any domain
✅ Applicable

CSP-C: Dangerous Eval / Inline Handlers

The use of eval() and new Function() to run code from the URL introduces serious vulnerabilities. When CSP allows unsafe-eval, attackers can inject and execute malicious scripts via the hash fragment.

How attackers identify: Search page source or bundled JS for eval(, new Function(, or setTimeout/setInterval with string args; check CSP header for unsafe-eval; test if URL hash or query params are passed to eval-like functions; trace data flow from user input to code execution.

  • Developer Usage: https://www.nocdn.fakeorca.com/static#eval:dark()
  • Developer Usage: https://www.nocdn.fakeorca.com/static#fn:showBanner("Maintenance Till 23:59")
  • Exploit 1: https://www.nocdn.fakeorca.com/static#eval:alert("eval() Abused")
  • Exploit 2: https://www.nocdn.fakeorca.com/static#fn:alert("fn() Abused")
✅ Applicable
Protection:
  • Preferred configuration: Use a strict CSP with script-src 'self' or trusted domains only; use nonces or hashes for legitimate inline scripts; omit unsafe-inline and unsafe-eval; set explicit default-src as fallback.
  • Things to avoid: Do not use script-src * or 'unsafe-inline' or 'unsafe-eval'; avoid broad allowlists; do not omit CSP entirely; avoid passing user input to eval() or new Function().

This test applies to a pure static page. No authentication, login, cookies, or backend logic are involved. The browser may still send the current page URL to external domains via the HTTP Referer header when the user navigates to or loads resources from external sites. This is browser-driven behaviour on static content—a security demonstration to observe what information may be leaked.

Test URL: Ensure the address bar shows https://www.nocdn.fakeorca.com/static?demo=referrer-test (add ?demo=referrer-test if needed) so the query parameter may be leaked in the Referer header.

This page includes an external link below. Click it to trigger an outbound request from the static page to an external domain (httpbin.org).

Test Referrer-Policy → httpbin.org Opens httpbin.org in new tab; Referer is sent from the current page
Test instructions:
  1. The page includes an external link or external resource (e.g. the link above to httpbin.org).
  2. Open Developer Tools → Network tab.
  3. Trigger the outbound request by clicking the external link or reloading the page.
  4. Inspect the external request's Request Headers.
  5. Observe the Referer header value (or its absence).
Expected behaviour:
  • Without Referrer-Policy: The full URL (including path and query string) may be sent as the Referer to external domains.
  • With a restrictive Referrer-Policy (e.g. no-referrer or strict-origin-when-cross-origin): The Referer is reduced (e.g. origin only) or omitted entirely.
Referrer-Policy Behavior Reference:

The table below shows what referrer information is sent based on the policy and destination type.

How to read the table headers:
  • Same Origin: Navigation within the same domain (e.g., https://www.nocdn.fakeorca.com to https://www.nocdn.fakeorca.com)
  • Cross Origin (HTTPS): Navigation to a different domain over HTTPS (e.g., https://www.nocdn.fakeorca.com to https://httpbin.org/)
  • Cross Origin (HTTP): Navigation to a different domain over HTTP (e.g., http://www.nocdn.fakeorca.com to http://example.com)
Policy Same Origin Cross Origin (HTTPS) Cross Origin (HTTP) Test URL Expected Referrer
no-referrer No Referer sent No Referer sent No Referer sent /static?demo=referrer-test No Referer sent
same-origin Full URL sent No Referer sent No Referer sent /static?demo=referrer-test No Referer sent
origin Origin only Origin only Origin only /static?demo=referrer-test https://www.nocdn.fakeorca.com
strict-origin Origin only Origin only No Referer sent /static?demo=referrer-test https://www.nocdn.fakeorca.com
origin-when-cross-origin Full URL sent Origin only Origin only /static?demo=referrer-test https://www.nocdn.fakeorca.com
strict-origin-when-cross-origin Full URL sent Origin only No Referer sent /static?demo=referrer-test https://www.nocdn.fakeorca.com
unsafe-url Full URL sent Full URL sent Full URL sent /static?demo=referrer-test https://www.nocdn.fakeorca.com/static?demo=referrer-test
Legend: Full URL sent (including path & query) Origin only No Referer sent
Protection:
  • Preferred configuration: Use Referrer-Policy: strict-origin-when-cross-origin to send full URL for same-origin requests, origin only for cross-origin HTTPS, and no referrer for cross-origin HTTP.
  • Things to avoid: Do not use unsafe-url (leaks full URL including paths and query params); avoid omitting the header when URLs contain sensitive tokens or IDs.

❌ This test is not applicable. This is a static page that does not use Flash, Silverlight, or any plugin-based content. It does not serve crossdomain policy files like crossdomain.xml, nor does it load external resources through legacy plugins. The protection controlled by this setting is only relevant when such plugins are used to access data from another domain. Modern websites use CORS and CSP instead, making this check unnecessary.

Protection:
  • Preferred configuration: Not required for modern web applications. CORS policies provide cross-origin access controls; omit this header unless supporting legacy Flash/Silverlight.
  • Things to avoid: Do not rely on this header for modern security; avoid enabling plugin content if not strictly necessary; do not use outdated plugins that depend on crossdomain.xml.