dvwa updated

dvwa/vulnerabilities/csp/source/low.php

@@ -0,0 +1,22 @@
+<?php
+
+$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;"; // allows js from self, pastebin.com, jquery and google analytics.
+
+header($headerCSP);
+
+# https://pastebin.com/raw/R570EE00
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	<script src='" . $_POST['include'] . "'></script>
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p>
+	<input size="50" type="text" name="include" value="" id="include" />
+	<input type="submit" value="Include" />
+</form>
+';