when I upload image as my profile picture a PATCH request is send to PATCH image link of my profile picture, so whenever I open my profile the profile image is called by that link.
Now in that PATCH request I exchange the image link by my server IP (http://X.X.X.X:1337) and when someone open my profile, my profile image is called but as I exchanged the image link with my server IP the application send a GET request for image to my server.
When DOM is loaded it looks like:
<img src="http://X.X.X.X:1337"> in img tag
there is no CSP enforced application call any IP,socket,domain, data uri.
As the src is called for image even I call a js file it do no get executed it get stored as normal text.
If I put a xss payload it is sent for http request.
Now how can I make it harmful currently I can get only IP of the Victim.