Does this skill support DOM-based XSS detection?

Yes, the skill specifically targets DOM-based XSS by identifying dangerous JavaScript sinks like innerHTML and user-controllable sources like location.hash.

Does it provide remediation advice?

Yes, every vulnerability assessment includes recommendations for fixing the flaws, such as proper output encoding and secure CSP configurations.

Are there ethical guardrails included?

Absolutely. The skill emphasizes legal authorization, operational boundaries to prevent system damage, and the ethical handling of captured session data.

Can it help bypass Content Security Policies (CSP)?

It includes a variety of bypass techniques, including tag variations and JavaScript obfuscation, specifically designed to test the limits of CSP configurations.

What types of injection does this cover?

It covers Stored XSS, Reflected XSS, DOM-based XSS, and various forms of HTML injection including form hijacking and CSS-based data exfiltration.

XSS & HTML Injection Testing

Name: XSS & HTML Injection Testing
Author: zebbern

byzebbern

•

2,883

•

Security & Testing

Conducts comprehensive security audits to identify, exploit, and remediate client-side injection vulnerabilities in web applications.

This skill empowers Claude to perform advanced penetration testing for Cross-Site Scripting (XSS) and HTML injection flaws across stored, reflected, and DOM-based attack vectors. It provides a systematic framework for mapping input reflection points, crafting sophisticated payloads for session hijacking, and implementing filter bypass techniques to challenge Content Security Policies (CSP). Ideal for security researchers and developers, it transforms Claude into a security assistant capable of demonstrating real-world impact through proof-of-concept exploits while providing actionable remediation guidance for input sanitization and output encoding.

Key Features

012,883 GitHub stars

02Advanced bypass techniques for encoding, filters, and Content Security Policies

03Sophisticated payload generation for Stored, Reflected, and DOM-based XSS

04Detailed vulnerability reporting with severity assessments and remediation steps

05Proof-of-concept demonstrations for cookie theft and session hijacking

06Automated identification of vulnerable JavaScript sinks and input reflection points

Use Cases

01Validating the robustness of input sanitization and output encoding mechanisms

02Performing security penetration tests on web applications prior to production release

03Auditing third-party web components for client-side injection vulnerabilities

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add zebbern/claude-code-guide xss-html-injection

For use in Claude.ai and ChatGPT

Download Skill