When she searches for '<iframe src="javascript:alert(xss)">'
Then she sees she has solved the "DOM XSS" challenge
When she searches for '<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>'
Then she sees she has solved the "Bonus Payload" challenge
When she searches for {payload}
Then she should see no alert message
| Number of Scenarios | 3 | Total Duration | 12s |
| Total Number of Test Cases | 7 | Fastest Test | 1s |
| Number of Manual Test Cases | 0 | Slowest Test | 2s |
| Tests Started | Jul 04, 2025 12:58:39 | Average Execution Time | 1s |
| Tests Finished | Jul 04, 2025 12:58:52 | Total Execution Time | 12s |
| feature | Scenario | Context | Steps | Started | Total Duration | Result |
|---|---|---|---|---|---|---|
| Juice Shop is susceptible to XSS attacks | Haxxor injects HTML into the search input | 2 | 12:58:39 | 1s 592ms | ||
| Juice Shop is susceptible to XSS attacks | Haxxor can inject a payload into the page | 2 | 12:58:41 | 1s 890ms | ||
| Juice Shop is susceptible to XSS attacks |
Inject XSS payloads into the search form and verify no script execution
5 passing test cases |
2 | 12:58:43 | 8s 762ms |