Does this skill perform actual automated attacks?

It provides the specific methodologies, payloads, and step-by-step guidance for testing, but execution requires the user to have authorized access and follow legal boundaries.

Are remediation steps included for discovered vulnerabilities?

Yes, the skill provides clear remediation recommendations, including output encoding best practices, input validation strategies, and secure CSP configurations.

Can it help bypass modern Content Security Policies (CSP)?

Yes, it includes techniques to identify common CSP misconfigurations and provides specific payloads designed to test for bypasses in various policy environments.

Does it support detection of DOM-based XSS?

Absolutely. It identifies dangerous JavaScript sinks like innerHTML and eval(), as well as user-controllable sources like location.hash, to find vulnerabilities that occur entirely in the browser.

XSS and HTML Injection Security Testing

Name: XSS and HTML Injection Security Testing
Author: claudiodearaujo

byclaudiodearaujo

Security & Testing

Automates the identification and exploitation of Cross-Site Scripting (XSS) and HTML injection vulnerabilities in web applications.

About

This skill provides a comprehensive framework for security professionals and developers to perform deep client-side injection audits. It guides users through systematic detection phases for stored, reflected, and DOM-based vectors, offers an extensive library of bypass techniques for modern filters, and generates proof-of-concept payloads for demonstrating impact such as session hijacking or credential theft. Beyond exploitation, it includes actionable remediation guidance and Content Security Policy (CSP) configurations to help secure applications against future attacks.

Key Features

Comprehensive detection patterns for Stored, Reflected, and DOM-based XSS.
Detailed identification of dangerous JavaScript sinks and sources in client-side code.
Remediation recommendations including specific CSP headers and encoding strategies.
Proof-of-concept (PoC) payload generation for session and credential theft demonstrations.
Advanced filter bypass techniques using encoding, obfuscation, and tag variations.
0 GitHub stars

Use Cases

Validating the effectiveness of input sanitization logic and Web Application Firewall (WAF) rules.
Performing automated security audits on new web application features during development.
Demonstrating the real-world impact of client-side vulnerabilities to stakeholders via PoC.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add claudiodearaujo/izacenter xss-html-injection

For use in Claude.ai and ChatGPT

Download Skill

GitHub