How to use an Image Probe to find XSS and HTML injection vulnerabilities

Inject your image probe (img tag) as a payload into websites – think usernames, comments, etc. If the image loads on any page – including admin pages – you'll see it in your XSS Probe Dashboard. From here you can visit the page and determine if you can escalate the injection to XSS, such as using event handlers, or report it as HTML injection. If you can't visit the page, like an admin page, you can report it as HTML injection/possible XSS.

Watch out for false positives. Sometimes websites allow image tags to be used directly by users, so you'll have to determine if it is exploitable.

The advantage of using the image probe is that many websites use filters to block script tags from being injected, while image tags remain open.