Juiceshop Username Hacking Form
This HTML page, loaded from the local file system, will send a request to the Juiceshop without an "Origin"
header (because it was not received from a website). The request attempts to change the "Username" in the
profile page to "hacked".
With CSRF enabled, that request will be blocked. Add this configuration in the Core WAAP CR:
csrfPolicy:
enabled: true
crs:
mode: DISABLED
Note that this example also disables Coraza (crs) for the sake of this simple demo, because otherwise this
attack would be prevented by the CRS filter as well.