Juiceshop Username Hacking Form

This HTML page, loaded from the local file system, will send a request to the Juiceshop without an "Origin" header (because it was not received from a website). The request attempts to change the "Username" in the profile page to "hacked".

With CSRF enabled, that request will be blocked. Add this configuration in the Core WAAP CR:

  csrfPolicy:
    enabled: true
  crs:
    mode: DISABLED
Note that this example also disables Coraza (crs) for the sake of this simple demo, because otherwise this attack would be prevented by the CRS filter as well.