ncklrs/skills/form-fuzzer
skills/form-fuzzer/SKILL.md
# Form Fuzzer Skill Test form inputs with edge case payloads to find security vulnerabilities and encoding issues. ## When to Use - Security testing forms for XSS/SQLi vulnerabilities - Testing input validation and sanitization - Finding unicode/encoding handling issues - Checking length limit enforcement - Pre-deployment security checks ## Flags ``` --fuzz Enable fuzzing mode --fuzz-category <category> Category: xss | sqli | unicode | length | all (default:
$ install --global
skillsauthnpx skillsauth add ncklrs/claude-chrome-user-testing skills/form-fuzzerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 8, 2026, 2:32 AM112.1s2 files scanned
SKILL.md
Form Fuzzer Skill
Test form inputs with edge case payloads to find security vulnerabilities and encoding issues.
When to Use
- Security testing forms for XSS/SQLi vulnerabilities
- Testing input validation and sanitization
- Finding unicode/encoding handling issues
- Checking length limit enforcement
- Pre-deployment security checks
Flags
--fuzz Enable fuzzing mode
--fuzz-category <category> Category: xss | sqli | unicode | length | all (default: all)
Fuzzing Categories
| Category | Purpose | Payload Count |
|----------|---------|---------------|
| xss | Test XSS sanitization | 15 payloads |
| sqli | Test SQL injection prevention | 12 payloads |
| unicode | Test encoding handling | 10 payloads |
| length | Test length limits | 4 payloads |
| all | All categories combined | 41 payloads |
Behavior
When --fuzz is active:
- Discovery: Find all form inputs on the page
- Classification: Identify input types (text, email, password, search, etc.)
- Injection: For each input, try payloads from selected category
- Observation: Check response for each payload:
- Sanitized: Payload escaped/stripped (PASS)
- Rejected: Clear error message (PASS)
- Executed: XSS/SQLi worked (CRITICAL)
- Error: Application error/crash (MAJOR)
- Stored: Payload persists in DOM (CRITICAL)
- Reporting: Generate security-focused report section
Response Classification
XSS Detection
// Check if script executed
// Check if payload appears unescaped in DOM
// Check for alert/console activity
// Check if event handlers fire
SQL Injection Detection
// Check for database error messages
// Check for unusual response time (time-based)
// Check for data leakage
// Check for error 500 responses
Encoding Issues
// Check for garbled text
// Check for broken layout (RTL markers)
// Check for missing characters
// Check for incorrect rendering
Length Handling
// Check if input truncated
// Check for overflow errors
// Check for client-side crashes
// Check for server errors
Report Section
When fuzzing is enabled, add this section to the test report:
## Form Fuzz Testing Results
### Summary
- **Inputs Tested**: 5
- **Payloads Tried**: 205
- **Vulnerabilities Found**: 2
### Critical Findings
| Input | Category | Payload | Result |
|-------|----------|---------|--------|
| #name | XSS | `<script>alert(1)</script>` | Executed |
| #search | SQLi | `' OR '1'='1` | Error 500 |
### XSS Tests (3 inputs)
| Input | Sample Payload | Result |
|-------|----------------|--------|
| #email | `<script>alert(1)</script>` | Sanitized |
| #name | `<script>alert(1)</script>` | **Executed** |
| #bio | `<img onerror=alert(1)>` | Sanitized |
### SQL Injection Tests (2 inputs)
| Input | Sample Payload | Result |
|-------|----------------|--------|
| #search | `' OR '1'='1` | **Error 500** |
| #id | `1; DROP TABLE--` | Rejected |
### Unicode Tests (5 inputs)
| Input | Sample Payload | Result |
|-------|----------------|--------|
| #name | `cafe n beijing` | Rendered OK |
| #bio | RTL markers | Layout OK |
### Length Tests (3 inputs)
| Input | Length | Result |
|-------|--------|--------|
| #email | 1K chars | Truncated (OK) |
| #bio | 10K chars | Accepted |
| #bio | 100K chars | **Client crash** |
### Recommendations
1. **[Critical]** Sanitize `#name` field - XSS vulnerable
2. **[Critical]** Fix SQL error handling in `#search` - reveals database info
3. **[Major]** Add length validation to `#bio` - crashes on large input
Integration with Personas
Fuzzing works alongside persona testing:
# Fuzz while testing as GenZ user
/user-test --url https://example.com/signup --persona genz-digital-native --fuzz
# Fuzz specific category
/user-test --url https://example.com/login --persona developer-critic --fuzz --fuzz-category xss
The persona still drives navigation and task completion, but form inputs are fuzzed when encountered.
Input Selection
Fuzz These Inputs
<input type="text"><input type="email"><input type="password"><input type="search"><input type="url"><input type="tel"><textarea><input type="hidden">(if accessible)- Rich text editors (contenteditable)
Skip These Inputs
<input type="checkbox"><input type="radio"><input type="file"><input type="date/time"><select>dropdowns- Disabled/readonly inputs
Best Practices
- Start with
--fuzz-category xss: Most common web vulnerability - Test staging, not production: Fuzzing can cause side effects
- Combine with
--record: Capture evidence of vulnerabilities - Use
--jsonfor CI/CD: Parse fuzz results programmatically - Test authenticated flows: Many vulnerabilities behind login
Limitations
- Client-side only: Cannot detect server-side-only vulnerabilities
- No blind injection: Time-based SQLi detection is limited
- May trigger WAF: Fuzzing payloads can trigger security rules
- State changes: Fuzzing may create test data in database
- Rate limiting: May hit rate limits on aggressive testing
Severity Classification
| Severity | Criteria | Example | |----------|----------|---------| | Critical | Code execution, data exposure | XSS executed, SQLi data leak | | Major | Application errors, crashes | Error 500, client crash | | Minor | Poor handling, no security impact | Garbled unicode, no truncation | | Info | Observations, potential issues | Long response time, verbose errors |
Related Skills
ncklrs/skills/wcag-auditor
development
VerifiedTrustedCommunity
# WCAG Auditor Skill This skill provides WCAG 2.1 accessibility audit capabilities, including criteria definitions, check implementations, and scoring logic. ## Purpose Systematically evaluate web pages against WCAG 2.1 Level A and AA success criteria to identify accessibility barriers and provide remediation guidance. ## WCAG 2.1 Overview WCAG is organized around four principles (POUR): - **Perceivable**: Information must be presentable to users - **Operable**: Interface must be usable - *
14SKILL.mdUpdated Apr 8, 2026
ncklrs/user-testing
development
VerifiedTrustedCommunity
Comprehensive persona-based user testing skill for web applications. Simulates how real users from different demographics interact with interfaces, including realistic timing, behavioral patterns, and frustration triggers. Use when: - Testing user interfaces before release - Validating UX flows from diverse perspectives - Conducting accessibility reviews - Optimizing onboarding or checkout experiences - Getting feedback on form design
14SKILL.mdUpdated Apr 8, 2026
ncklrs/skills/stripe-checkout
development
VerifiedTrustedCommunity
# Stripe Checkout Testing Skill This skill provides guidance for testing Stripe checkout flows with any persona. It handles test card data, form detection, and payment-specific narration. ## Purpose Enable realistic user testing of Stripe payment flows using official test cards, with persona-appropriate reactions to checkout experiences. ## Test Card Reference Load card data from `test-cards.json`. Key scenarios: | Scenario | Card | When to Use | |----------|------|-------------| | `succes
14SKILL.mdUpdated Apr 8, 2026
ncklrs/skills/smoke-testing
testing
VerifiedTrustedCommunity
# Smoke Testing Skill Run pre-configured smoke tests for common user flows. Quick validation that critical functionality works. ## What is Smoke Testing? Smoke testing is a quick sanity check to ensure basic functionality works before deeper testing. The name comes from electronics - if you turn on a circuit and smoke comes out, you know something is wrong without further testing. ## When to Use - Before releases to catch obvious breaks - After deployments to verify functionality - In CI/CD
14SKILL.mdUpdated Apr 8, 2026