PostMan [web, 70p, 12 solves] TLDR; simple XSS which was blocked by CSP. You needed to inject into CSP header to get XSS working. The application let user to create posts with a title and an image. Image had to be passed in form of a link. You could report post to the admin who will inspect it (typical XSS challange). Right of a bat I found simple XSS in title field <script>alert(1)</script>, but it was blocked due to CSP header that server set in the response: