offensive-xss

# SKILL: Cross-Site Scripting (XSS)

## Metadata
- **Skill Name**: xss
- **Folder**: offensive-xss
- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/xss.md

## Description
Cross-Site Scripting testing checklist: stored/reflected/DOM/blind XSS discovery, polyglot payloads, CSP bypass, XSS filter bypass, event handler injection, DOM clobbering, mutation XSS, and impact escalation (session hijack, phishing, keylogging). Use for web app XSS testing and bug bounty.

## Trigger Phrases
Use this skill when the conversation involves any of:
`XSS, cross-site scripting, stored XSS, reflected XSS, DOM XSS, blind XSS, CSP bypass, XSS filter bypass, polyglot, DOM clobbering, mutation XSS, event handler injection`

## Instructions for Claude

When this skill is active:
1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

## Full Methodology

# Cross-Site Scripting (XSS)

## Shortcut

- Look for user input opportunities on the application. When user input is stored and used to construct a web page later, test the input field for stored XSS. if user input in a URL gets reflected back on the resulting web page, test for reflected and DOM XSS.
- Insert XSS payloads into the user input fields you've found. Insert payloads from lists online, a polyglot payload, or a generic test string.
- Confirm the impact of the payload by checking whether your browser runs your JavaScript code. Or in the case of a blind XSS, see if you can make the victim browser generate a request to your server.
- If you can't get any payloads to execute, try bypassing XSS protections.
- Automate the XSS hunting process
- Consider the impact of the XSS you've found: who does it target? How many users can it affect? And what can you achieve with it? Can you escalate the attack by using what you've found?

## Mechanisms

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious client-side scripts into web pages viewed by other users. XSS occurs when applications incorporate user-supplied data into a page without proper validation or encoding.

### Types of XSS

```mermaid
flowchart TD
    A[Cross-Site Scripting] --> B[Stored XSS]
    A --> C[Reflected XSS]
    A --> D[DOM-Based XSS]
    A --> E[Blind XSS]

    B -->|"Persists in DB"| B1[Comments]
    B -->|"Persists in DB"| B2[User Profiles]
    B -->|"Persists in DB"| B3[Product Reviews]

    C -->|"Reflected in response"| C1[Search Results]
    C -->|"Reflected in response"| C2[Error Messages]
    C -->|"Reflected in response"| C3[URL Parameters]

    D -->|"Client-side execution"| D1[Client-side Routing]
    D -->|"Client-side execution"| D2[DOM Manipulation]

    E -->|"Hidden Execution"| E1[Admin Panels]
    E -->|"Hidden Execution"| E2[Log Viewers]
```

#### Stored (Persistent) XSS

- Malicious script is permanently stored on target servers (databases, message forums, comment fields)
- Executed when victims access the stored content
- Most dangerous as it affects all visitors to the vulnerable page
- Examples: comments, user profiles, product reviews

```mermaid
sequenceDiagram
    actor A as Attacker
    participant W as Web Server
    participant DB as Database
    actor V as Victim

    A->>W: Submit malicious script via form
    W->>DB: Store user input with script
    V->>W: Request page with stored content
    W->>DB: Retrieve stored content
    DB->>W: Return content with malicious script
    W->>V: Deliver page with malicious script
    Note over V: Script executes in victim's browser
    V->>A: Stolen data sent to attacker
```

#### Reflected (Non-Persistent) XSS

- Script is reflected off the web server in an immediate response
- Typically delivered via URLs (parameters, search fields)
- Requires victim to click a malicious link or visit a crafted page
- Examples: search results, error messages, redirects

```mermaid
sequenceDiagram
    actor A as Attacker
    actor V as Victim
    participant W as Web Server

    A->>V: Send malicious URL
    V->>W: Click link with malicious script in parameters
    W->>V: Return page with reflected script
    Note over V: Script executes in victim's browser
    V->>A: Stolen data sent to attacker
```

#### DOM-Based XSS

- Vulnerability exists in client-side code rather than server-side
- Malicious content never reaches the server
- Occurs when JavaScript dynamically updates the DOM using unsafe methods
- Examples: client-side routing, client-side templating

```mermaid
sequenceDiagram
    actor A as Attacker
    actor V as Victim
    participant W as Web Server
    participant DOM as DOM

    A->>V: Send malicious URL with fragment
    V->>W: Request page (fragment not sent to server)
    W->>V: Return page with JavaScript
    Note over V: JavaScript processes URL fragment
    V->>DOM: Update DOM with malicious content
    Note over V: Script executes in victim's browser
    V->>A: Stolen data sent to attacker
```

#### Blind XSS

- Special type of stored XSS where impact isn't immediately visible
- Payload activates in areas not accessible to the attacker (admin panels, logs)
- Often discovered using specialized tools that callback to attacker-controlled servers

#### LLM-Generated Content XSS

- **AI Integration Risks**: Large Language Models generating unsafe HTML
- **Prompt Injection → XSS**: Manipulating AI to output malicious scripts
- **RAG (Retrieval Augmented Generation) XSS**: Injecting payloads into vector databases that get included in AI responses

```mermaid
sequenceDiagram
    actor A as Attacker
    participant U as User
    participant AI as LLM/AI Service
    participant DB as Vector DB
    participant W as Web App

    A->>DB: Inject payload into training/context data
    U->>W: Ask AI a question
    W->>AI: Fo