Share 
## https://sploitus.com/exploit?id=100EB90F-41EE-5C0A-A5FB-674097998814
# XSS Vulnerability Scanner Plugin

Comprehensive cross-site scripting (XSS) vulnerability detection with context-aware analysis and bypass technique testing.

## Features

- **All XSS Types** - Reflected, Stored, DOM-based
- **Context Analysis** - HTML, JavaScript, CSS, URL contexts
- **WAF Bypass Testing** - Common filter evasion techniques
- **Mutation XSS Detection** - Browser-specific quirks
- **CSP Evaluation** - Content Security Policy effectiveness
- **Exploitation PoCs** - Safe proof-of-concept payloads

## Installation

```bash
/plugin install xss-vulnerability-scanner@claude-code-plugins-plus
```

## Usage

```bash
/scan-xss
# Or shortcut
/xss
```

## XSS Types Detected

### 1. Reflected XSS

User input immediately reflected in response without sanitization.

```text
// VULNERABLE
app.get('/search', (req, res) => {
    res.send(`Search results for: ${req.query.q}`);
});

// Attack
/search?q=alert(document.cookie)

// SECURE
app.get('/search', (req, res) => {
    const sanitized = escapeHtml(req.query.q);
    res.send(`Search results for: ${sanitized}`);
});
```

### 2. Stored XSS (Persistent XSS)

Malicious script stored in database and executed when viewed.

```text
// VULNERABLE
app.post('/comment', async (req, res) => {
    await db.comments.insert({
        text: req.body.comment
    });
});

app.get('/comments', async (req, res) => {
    const comments = await db.comments.findAll();
    res.send(comments.map(c => `${c.text}`).join(''));
});

// Attack
comment: 

// SECURE
app.post('/comment', async (req, res) => {
    await db.comments.insert({
        text: sanitizeHtml(req.body.comment)
    });
});
```

### 3. DOM-based XSS

Vulnerability in client-side JavaScript code.

```text
// VULNERABLE

document.getElementById('greeting').innerHTML =
    'Hello ' + location.hash.substring(1);


// Attack
http://example.com/#

// SECURE

document.getElementById('greeting').textContent =
    'Hello ' + location.hash.substring(1);
// textContent escapes HTML automatically

```

## Context-Specific Exploitation

### HTML Context

```html

User input: USER_INPUT


alert(1)


```

### JavaScript Context

```html

var name = 'USER_INPUT';


'; alert(1); //
'; alert(1); var x='
'-alert(1)-'
```

### HTML Attribute Context

```html




" onload="alert(1)
" autofocus onfocus="alert(1)
```

### URL Context

```html

Click


javascript:alert(1)
data:text/html,alert(1)
```

### CSS Context

```html

body { background: USER_INPUT; }


}body{background:url('javascript:alert(1)');}
expression(alert(1))
```

## Filter Bypass Techniques

### Case Variation

```html
alert(1)

```

### Encoding

```html

<script>alert(1)</script>


%3Cscript%3Ealert(1)%3C/script%3E


\u003cscript\u003ealert(1)\u003c/script\u003e



```

### Null Bytes

```html
alert(1)

```

### Comment Breaking

```html
alert(1)-->

```

### Attribute Breaking

```html


```

## Example Report

```
XSS VULNERABILITY SCAN REPORT
==============================
URLs Tested: 150
Parameters Tested: 450
Vulnerabilities Found: 8
Critical: 3
High: 4
Medium: 1

CRITICAL VULNERABILITIES
------------------------

1. Stored XSS in User Profile
   Location: /api/profile/update
   Parameter: bio
   Type: Stored XSS
   Severity: CRITICAL (CVSS 9.0)

   Vulnerable Endpoint:
   POST /api/profile/update
   {
       "bio": "alert(document.cookie)"
   }

   Stored Location: users.bio column
   Triggered When: Profile viewed by any user

   Payload:
   

   Impact:
   - Session hijacking for all users viewing profile
   - Cookie theft
   - Account takeover
   - Worm propagation

   Remediation:
   // Server-side (Node.js)
   const DOMPurify = require('isomorphic-dompurify');

   app.post('/api/profile/update', (req, res) => {
       const sanitized = DOMPurify.sanitize(req.body.bio);
       db.updateProfile(req.user.id, { bio: sanitized });
   });

   // Client-side (React)
   import DOMPurify from 'dompurify';

   function Profile({ bio }) {
       return (
           
       );
   }

2. Reflected XSS in Search Function
   Location: /search
   Parameter: q
   Type: Reflected XSS
   Severity: CRITICAL (CVSS 8.2)

   Vulnerable Code:
   app.get('/search', (req, res) => {
       res.send(`
           Search results for: ${req.query.q}
           
       `);
   });

   Payload:
   /search?q=

   Advanced Payload (WAF Bypass):
   /search?q=
   // Base64: alert(document.cookie)

   Impact:
   - Phishing attacks
   - Session theft
   - Keylogging
   - Drive-by downloads

   Remediation:
   const escapeHtml = require('escape-html');

   app.get('/search', (req, res) => {
       const sanitized = escapeHtml(req.query.q);
       res.send(`
           Search results for: ${sanitized}
           
       `);
   });

3. DOM-based XSS in Client Router
   Location: /app.js
   Source: location.hash
   Type: DOM XSS
   Severity: HIGH (CVSS 7.4)

   Vulnerable Code:
   // app.js
   window.addEventListener('hashchange', () => {
       const page = location.hash.substring(1);
       document.getElementById('content').innerHTML =
           `Page: ${page}`;
   });

   Attack URL:
   http://example.com/#

   Impact:
   - Client-side session theft
   - Unauthorized actions
   - Data exfiltration

   Remediation:
   window.addEventListener('hashchange', () => {
       const page = location.hash.substring(1);
       // Use textContent instead of innerHTML
       document.getElementById('content').textContent =
           `Page: ${page}`;
   });
```

## Defense Mechanisms

### 1. Input Validation

```javascript
const validator = require('validator');

function validateInput(input) {
    // Whitelist approach
    if (!validator.isAlphanumeric(input, 'en-US', {ignore: ' -'})) {
        throw new Error('Invalid characters');
    }
    return input;
}
```

### 2. Output Encoding

```javascript
// HTML Context
function escapeHtml(unsafe) {
    return unsafe
        .replace(/&/g, "&")
        .replace(//g, ">")
        .replace(/"/g, """)
        .replace(/'/g, "'");
}

// JavaScript Context
function escapeJs(unsafe) {
    return unsafe.replace(/\\/g, '\\\\')
                 .replace(/'/g, "\\'")
                 .replace(/"/g, '\\"')
                 .replace(/\n/g, '\\n')
                 .replace(/\r/g, '\\r');
}
```

### 3. Content Security Policy

```javascript
app.use((req, res, next) => {
    res.setHeader("Content-Security-Policy",
        "default-src 'self'; " +
        "script-src 'self' 'nonce-${nonce}'; " +
        "style-src 'self' 'unsafe-inline'; " +
        "img-src 'self' data: https:; " +
        "font-src 'self'; " +
        "connect-src 'self'; " +
        "frame-ancestors 'none'; " +
        "base-uri 'self'; " +
        "form-action 'self'"
    );
    next();
});
```

### 4. HTTP-Only Cookies

```javascript
res.cookie('session', token, {
    httpOnly: true,  // No JavaScript access
    secure: true,    // HTTPS only
    sameSite: 'strict'
});
```

### 5. DOMPurify Sanitization

```javascript
const DOMPurify = require('isomorphic-dompurify');

const clean = DOMPurify.sanitize(dirty, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
    ALLOWED_ATTR: ['href']
});
```

## Best Practices

1. **Never Trust User Input** - Sanitize everything
2. **Context-Aware Encoding** - Different contexts need different encoding
3. **Use Security Libraries** - DOMPurify, OWASP Java Encoder
4. **Implement CSP** - Strong Content Security Policy
5. **HTTPOnly Cookies** - Prevent cookie theft
6. **Regular Testing** - Automated and manual XSS testing

## License

MIT License - See LICENSE file for details