ghostonbutterbread/reflected-xss
skills/reflected-xss/SKILL.md
Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
content-media
Updated Jun 6, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness reflected-xssInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 6, 2026, 2:27 AM47.8s1 file scanned
SKILL.md
- name:
- reflected-xss
- description:
- Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
Reflected XSS
Use this lane when a marker reflects immediately in the response or rendered page.
The goal is to identify the exact output context, break that context with the smallest useful payload, then mutate as needed until execution is proven or a real boundary appears.
Load First
xsslive-testing-policywaf-live-policyif filters, bot defenses, WAF, sanitizers, or parser quirks shape the testskills/xss/references/payload-selection.md
Inputs To Test
Check more than query parameters when evidence supports it:
- query values and parameter names
- path segments and slugs
- form body fields
- JSON keys and values
- headers:
Referer,User-Agent,X-Forwarded-*, custom app headers - cookies reflected into templates/bootstrap data
- redirect targets and URL-bearing params
Context Checklist
Record where the marker lands:
- HTML text/body
- quoted attribute
- unquoted attribute
- URL-bearing attribute
- inline JavaScript string
- JSON/bootstrap blob
- template literal
- CSS/style
- escaped server response that client-side JS later decodes
Do not choose payloads before context classification.
Testing Loop
- Send a marker with a unique token.
- Compare raw HTTP and browser-rendered behavior when possible.
- Select a payload family matching the exact context.
- If blocked or encoded, mutate within the same family first.
- Move across families only when the response shows a parser or sanitizer difference worth exploring.
- Use browser verification or target-owned checker for confirmation.
Good Payload Thinking
Prefer reasoning like:
- "I am inside a quoted attribute, so I need quote breakout plus a trigger."
- "The server encodes
<but leaves quotes, so attribute injection may still work." - "The raw response is escaped, but the frontend assigns it into
innerHTML." - "The WAF sees one decoding layer; the browser/backend may see another."
- "The query is encoded but the fragment remains raw in
location.toString()."
Use Ryushe's payload examples for shapes, but adapt them to the context.
Browser Proof
Confirmed reflected XSS needs execution proof:
- alert or equivalent target checker signal
- console side effect under controlled browser
- DOM mutation proving script execution
- target-owned lab checker success
If browser tooling is unavailable, mark as Likely or Potential and record
the blocked proof step.
Stop Conditions
- input is fully encoded in the tested browser context
- no signal after representative context-specific mutations
- WAF/rate pressure requires cooldown
- next step would involve non-owned data, real users, staff-visible workflows, or out-of-scope redirects
Report
Include full URL, parameter/header/body field, reflected context, payload, mutation family, browser proof status, and stop reason.
Related Skills
ghostonbutterbread/stored-xss
documentation
VerifiedTrustedCommunity
Use when attacker-controlled input is saved and rendered later in a profile, comment, title, notification, admin view, export, email, feed, upload metadata, or other stored render surface.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/pwnfox
data-ai
VerifiedTrustedCommunity
Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/skills/lfi
tools
VerifiedTrustedCommunity
# LFI — Local File Inclusion Bypass ## What It Does Tests LFI bypass techniques: path traversal, null bytes, wrappers, log poisoning. Load `general-security-testing-policy`, `live-testing-policy`, and `injection-testing-policy` before live testing. For file/path sinks, absence of an immediate file read or response delta is not a stop reason by itself; use the policy to reason about path normalization, extension allowlists, wrappers, encoding, parser differences, and stack-specific proof ladder
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/dom-xss
tools
VerifiedTrustedCommunity
Use when XSS depends on browser-side sources and sinks such as URL/query/hash, router state, local/session storage, cookies, postMessage, DOM parsing, framework render paths, or client-side sanitizer behavior.
SKILL.mdUpdated Jun 6, 2026