Is this skill intended for automated or manual testing?

It serves as a comprehensive guide and toolkit for semi-automated testing, providing the logic and payloads needed to conduct systematic manual security reviews.

Can this skill help bypass Content Security Policies (CSP)?

Yes, it includes specific techniques for testing CSP weaknesses and crafting payloads that can circumvent restrictive security headers.

Are the payloads safe for production use?

The skill is designed for authorized security testing. Users should only execute payloads in designated testing environments and must have explicit permission to test the target system.

What types of XSS can this skill detect?

The skill provides techniques for identifying and exploiting Stored XSS (persistent), Reflected XSS (non-persistent), and DOM-based XSS (client-side execution).

Does it provide remediation advice?

Absolutely. Along with exploit techniques, the skill provides clear remediation steps, including context-aware encoding and secure configuration examples.

XSS & HTML Injection Security Testing

Name: XSS & HTML Injection Security Testing
Author: claudiodearaujo

byclaudiodearaujo

•

Seguridad y Pruebas

Performs comprehensive security audits to identify and demonstrate Cross-Site Scripting (XSS) and HTML injection vulnerabilities in web applications.

This skill provides a structured methodology for developers and security researchers to systematically detect and exploit client-side injection flaws. It covers the full lifecycle of a security assessment, from identifying input reflection points to crafting sophisticated payloads for Stored, Reflected, and DOM-based XSS. By simulating real-world attack vectors like session hijacking, credential theft, and filter bypassing, the skill helps teams validate their input sanitization, output encoding, and Content Security Policy (CSP) implementations before vulnerabilities can be exploited in the wild.

Características Principales

01Identification of dangerous JavaScript sinks and user-controlled sources

021 GitHub stars

03Proof-of-concept payload generation for session hijacking and data exfiltration

04Detailed remediation guidance including CSP configuration and encoding best practices

05Comprehensive detection for Stored, Reflected, and DOM-based injection vectors

06Advanced filter bypass techniques using encoding, obfuscation, and malformed tags

Casos de Uso

01Creating controlled proof-of-concept demonstrations to illustrate security risks to stakeholders

02Validating the effectiveness of sanitization libraries and Web Application Firewalls (WAF)

03Conducting deep-dive security audits on web applications during the testing phase

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add claudiodearaujo/sistema-de-narra-o-de-livro xss-html-injection

For use in Claude.ai and ChatGPT

Download Skill