Fähigkeiten html-injection-testing
🛡️

html-injection-testing

Niedriges Risiko ⚡ Enthält Skripte⚙️ Externe Befehle🌐 Netzwerkzugriff

Test for HTML Injection Vulnerabilities

Web applications often fail to properly sanitize user input, allowing attackers to inject malicious HTML content. This skill provides comprehensive methodology for identifying HTML injection flaws through authorized security testing.

UnterstĂźtzt: Claude Codex Code(CC)
📊 70 Angemessen
1

Die Skill-ZIP herunterladen

2

In Claude hochladen

Gehe zu Einstellungen → Fähigkeiten → Skills → Skill hochladen

3

Einschalten und loslegen

Teste es

Verwendung von "html-injection-testing". Test search parameter for HTML injection

Erwartetes Ergebnis:

  • Phase 1: Identified injection point at /search?q= parameter
  • Phase 2: Basic payload test results: <h1>Test</h1> renders as heading - VULNERABLE
  • Phase 3: Stored injection confirmed - payload persists after page reload
  • Recommendation: Implement output encoding using htmlspecialchars() or DOMPurify

Verwendung von "html-injection-testing". What phishing payloads can demonstrate HTML injection risk?

Erwartetes Ergebnis:

  • Demonstration payload: Overlay form capturing credentials
  • Impact: Attacker can harvest user credentials via fake login form
  • Severity: Medium to High depending on authentication value
  • Remediation: Strict input validation and CSP headers

Sicherheitsaudit

Niedriges Risiko
v1 • 2/25/2026

This is a legitimate educational security testing skill for authorized HTML injection vulnerability assessment. Static findings are false positives or expected content for security education. The skill teaches penetration testing methodologies for identifying and reporting HTML injection flaws in web applications. All examples are clearly educational and the skill includes proper remediation guidance.

1
Gescannte Dateien
504
Analysierte Zeilen
7
befunde
1
Gesamtzahl Audits
Probleme mit mittlerem Risiko (2)
SKILL.md:429SKILL.md:433
innerHTML Assignment Examples
The skill contains examples of vulnerable innerHTML usage at lines 429 and 433. These are part of the 'Prevention and Remediation' section showing what NOT to do - they are educational examples of vulnerable patterns, not actual vulnerabilities in the skill itself.
SKILL.md:44-472
External Command Execution in Examples
The skill contains curl command examples for testing. These are standard security testing tools used for authorized vulnerability assessment. All examples target 'target.com' which is a placeholder domain, not real systems.
Probleme mit niedrigem Risiko (2)
SKILL.md:119-382
Hardcoded URLs in Examples
Examples contain URLs to 'attacker.com' and similar domains. These are standard educational placeholders used in security training. No actual malicious infrastructure is referenced.
SKILL.md:314-339
Encoding and Obfuscation Techniques
The skill documents bypass techniques using various encoding methods (URL, HTML entities, Unicode). This is standard educational content for understanding filter evasion in security testing.

Risikofaktoren

⚡ Enthält Skripte (2)
SKILL.md:429 SKILL.md:433
⚙️ Externe Befehle (60)
SKILL.md:44-57 SKILL.md:57-74 SKILL.md:74-85 SKILL.md:85-88 SKILL.md:88-99 SKILL.md:99-105 SKILL.md:105-125 SKILL.md:125-128 SKILL.md:128-137 SKILL.md:137-145 SKILL.md:145-160 SKILL.md:160-166 SKILL.md:166-172 SKILL.md:172-178 SKILL.md:178-186 SKILL.md:186-192 SKILL.md:192-198 SKILL.md:198-204 SKILL.md:204-228 SKILL.md:228-231 SKILL.md:231-233 SKILL.md:233-239 SKILL.md:239-261 SKILL.md:261-267 SKILL.md:267-277 SKILL.md:277-281 SKILL.md:281-287 SKILL.md:287-291 SKILL.md:291-298 SKILL.md:298-302 SKILL.md:302-308 SKILL.md:308-314 SKILL.md:314-339 SKILL.md:339-345 SKILL.md:345-353 SKILL.md:353-357 SKILL.md:357-362 SKILL.md:362-366 SKILL.md:366-397 SKILL.md:397-403 SKILL.md:403-412 SKILL.md:412-414 SKILL.md:414-422 SKILL.md:422-424 SKILL.md:424-434 SKILL.md:434-448 SKILL.md:448-449 SKILL.md:449-450 SKILL.md:450-451 SKILL.md:451-452 SKILL.md:452-453 SKILL.md:453-459 SKILL.md:459-469 SKILL.md:469 SKILL.md:469-470 SKILL.md:470 SKILL.md:470-471 SKILL.md:471 SKILL.md:471-472 SKILL.md:472
🌐 Netzwerkzugriff (30)
SKILL.md:390 SKILL.md:119 SKILL.md:120 SKILL.md:123 SKILL.md:130 SKILL.md:133 SKILL.md:136 SKILL.md:150 SKILL.md:155 SKILL.md:168 SKILL.md:168 SKILL.md:171 SKILL.md:181 SKILL.md:185 SKILL.md:194 SKILL.md:197 SKILL.md:210 SKILL.md:221 SKILL.md:223 SKILL.md:232 SKILL.md:254 SKILL.md:270 SKILL.md:276 SKILL.md:283 SKILL.md:293 SKILL.md:304 SKILL.md:307 SKILL.md:371 SKILL.md:379 SKILL.md:382

Erkannte Muster

False Positive: Windows SAM Database DetectionEducational Code Examples
Auditiert von: claude

Qualitätsbewertung

38
Architektur
100
Wartbarkeit
87
Inhalt
50
Community
76
Sicherheit
96
Spezifikationskonformität

Was du bauen kannst

Security Consultant Assessing Client Web Applications

A penetration tester conducting authorized security assessment for a client needs to identify HTML injection vulnerabilities in their web applications and provide a comprehensive report with remediation steps.

Developer Learning Web Security

A web developer wants to understand HTML injection vulnerabilities to write more secure code and properly validate user input in their applications.

QA Engineer Testing Input Handling

A QA engineer needs to verify that the application's input handling properly sanitizes HTML content and prevents injection attacks.

Probiere diese Prompts

Basic HTML Injection Test 
Use the html-injection-testing skill to help me test if our application's search function is vulnerable to HTML injection. The search parameter is 'q' and the URL is http://example.com/search
Stored Injection Assessment 
Help me test for stored HTML injection in the user profile bio field using the html-injection-testing skill. What test payloads should I use and how do I verify if the injection is stored?
Bypass Filter Testing 
Our application claims to filter HTML tags. Using the html-injection-testing skill, what encoding and bypass techniques should I test to verify if the filter can be evaded?
Remediation Verification 
After implementing input sanitization, how can I use the html-injection-testing skill to verify that the remediation is effective and no HTML injection vectors remain?

Bewährte Verfahren

  • Always obtain written authorization before testing any web application
  • Document all findings with proof-of-concept screenshots and request/response pairs
  • Test both GET and POST parameters, including hidden fields and cookies
  • Include remediation guidance in your report to help developers fix issues

Vermeiden

  • Testing production systems without explicit authorization
  • Using discovered vulnerabilities to access or exfiltrate data
  • Focusing only on automated tools without manual verification
  • Reporting findings without providing clear reproduction steps

Häufig gestellte Fragen

What is the difference between HTML injection and XSS?
HTML injection allows attackers to inject malicious HTML content into web pages, affecting only the page appearance. XSS (Cross-Site Scripting) allows execution of JavaScript code, which is more severe as it can steal cookies, session tokens, or perform actions on behalf of the user.
Can HTML injection lead to account compromise?
Yes, through phishing attacks. Attackers can inject fake login forms that appear legitimate and capture user credentials when submitted.
What tools are recommended for HTML injection testing?
Burp Suite, OWASP ZAP, and manual testing with curl are the primary tools. Automated scanners can find basic injection points but manual testing is needed for complex scenarios.
How do I prevent HTML injection in my web application?
Use output encoding (htmlspecialchars in PHP, escape in Python), implement Content Security Policy headers, validate input against allowlists, and use modern frameworks that auto-escape by default.
Is testing on localhost considered ethical?
Testing on your own systems or systems you own is generally acceptable. Always ensure you have explicit written authorization for any system you do not own.
What is the typical severity of HTML injection?
HTML injection is typically medium severity since it cannot execute JavaScript directly. However, when combined with phishing or defacement, the impact can be high, especially on sites with user authentication.

Entwicklerdetails

Autor

sickn33

Lizenz

MIT

Repository

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/html-injection-testing

Ref

main

Dateistruktur

📄 SKILL.md