- Home
- Skills
- Jcastillotx
- Vibe Skeleton App
- Xss Html Injection
xss-html-injection_skill
- JavaScript
0
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill jcastillotx/vibe-skeleton-app --skill xss-html-injection- SKILL.md12.9 KB
Overview
This skill describes a structured approach for assessing client-side injection risks like cross-site scripting (XSS) and HTML injection in web applications. It focuses on safe detection, classification, and remediation guidance rather than providing exploit recipes. Use it to evaluate input handling, output encoding, and client-side code that may introduce injection flaws.
How this skill works
The skill guides a tester through discovery, confirmation, and reporting phases: identify where user input is reflected or stored, determine whether issues are server-side, reflected, or DOM-based, and validate findings with controlled, non-destructive checks. It emphasizes use of browser developer tools, request inspection, and safe proof-of-concept techniques that avoid exfiltrating real user data.
When to use it
- During security assessments of web applications with user inputs
- When validating fixes for XSS or HTML injection reports
- Before deployment to verify frameworks and templating escape outputs
- When reviewing client-side JavaScript that processes URL fragments or user-controlled data
- When assessing Content Security Policy (CSP) and other browser defenses
Best practices
- Obtain written authorization and define a clear testing scope before any testing
- Avoid destructive payloads and do not exfiltrate real user data or credentials
- Prefer non-persistent, observable tests; capture only metadata required for reproduction
- Use browser consoles, safe captive test accounts, and isolated staging environments where possible
- Document reproduction steps, affected parameters, and recommended fixes (output encoding, input validation, CSP improvements)
Example use cases
- Assessment of a comment system or user profile fields for persistent injection risks
- Review of search and query parameters that reflect input into pages
- Audit of single-page app code that inserts URL fragments or query values into the DOM
- Validation of CSP and cookie attributes after a remediation patch
- Pre-release security checklist for templating and client-side rendering changes
FAQ
Only with explicit written authorization and a narrowly defined scope. Prefer staging environments for intrusive checks.
How should findings be reported?
Provide clear reproduction steps, the affected parameter/location, the XSS type (stored/reflected/DOM), impact assessment, and remediation suggestions like escaping, sanitization, and CSP recommendations.
What mitigations are most effective?
Consistently escape output based on context (HTML, attribute, JS), minimize use of dangerous sinks, enforce CSP, and mark sensitive cookies HttpOnly and Secure.