Skip to content

feat: add XSS built-in agent skill with Dalfox workflow#74

Open
Shafranpackeer wants to merge 2 commits intosamugit83:masterfrom
Shafranpackeer:feature/xss-prompt-skill
Open

feat: add XSS built-in agent skill with Dalfox workflow#74
Shafranpackeer wants to merge 2 commits intosamugit83:masterfrom
Shafranpackeer:feature/xss-prompt-skill

Conversation

@Shafranpackeer
Copy link
Contributor

@Shafranpackeer Shafranpackeer commented Mar 25, 2026

Summary

Add XSS (Cross-Site Scripting) attack skill following the same prompt-based pattern as SQLi.

Features:

  • 7-step Dalfox workflow (target analysis, detection, WAF bypass, exploitation, long scan, payload generation, evidence collection)
  • OOB blind XSS workflow using Interactsh callbacks
  • Comprehensive WAF bypass techniques
  • UI settings for workers, timeout, WAF bypass mode, deep DOM analysis

WAF Bypass Techniques:

  • HTML entity encoding (<script>)
  • Hex/Unicode encoding (\x3c, \u003c)
  • Double URL encoding (%253C)
  • Case mixing (<ScRiPt>)
  • Null byte injection (<scri%00pt>)
  • Comment insertion (<scr<!---->ipt>)
  • Event handler payloads (onerror, onload, onfocus, ontoggle)
  • Context-specific payloads (attribute, JS string, template literal)

Blind XSS with OOB Callbacks:

  • Interactsh integration for blind XSS detection
  • Dalfox --blind flag support
  • Cookie/session/DOM data exfiltration payloads

Type of Change

  • New feature

Component(s)

  • webapp (Next.js)
  • agent (Python)

How to Test

# Verify Python syntax
cd agentic && python -m py_compile prompts/xss_prompts.py prompts/classification.py

# Test format placeholders
python -c "from prompts.xss_prompts import XSS_TOOLS; from project_settings import get_xss_settings_dict; XSS_TOOLS.format(**get_xss_settings_dict())"

# Verify classification wiring
python -c "from prompts.classification import _BUILTIN_SKILL_MAP; print('xss' in _BUILTIN_SKILL_MAP)"

Checklist

  • I have tested this change locally with docker compose
  • I have not included real-world target data
  • My commits follow Conventional Commits
  • I have read and agree to the DISCLAIMER.md

Screenshots

N/A - Backend prompts + settings UI, no major visual changes

Related Issues

Follows same pattern as SQLi skill implementation

Shafranpackeer and others added 2 commits March 26, 2026 09:38
@Shafranpackeer @claude
feat: add XSS built-in agent skill with Dalfox workflow
3492019 
Add a complete XSS (Cross-Site Scripting) attack skill following the
prompt-based pattern used by existing skills (SQLi, DoS, etc.).

Backend changes:
- Add xss_prompts.py with 7-step Dalfox workflow including:
  - Step 1: Target analysis with execute_curl
  - Step 2: Quick Dalfox detection scan
  - Step 3: WAF detection and bypass techniques
  - Step 4: Exploitation (reflected, stored, DOM, blind)
  - Step 5: Long scan mode for complex targets
  - Step 6: Payload generation priority
  - Step 7: Evidence collection
- Add OOB blind XSS workflow using Interactsh callbacks
- Add XSS payload reference with bypass techniques
- Register 'xss' in KNOWN_ATTACK_PATHS and classification
- Add XSS settings: workers, timeout, WAF bypass, deep DOM
- Wire XSS routing in prompts/__init__.py

Frontend changes:
- Add XssSection.tsx UI component for settings
- Add XSS to BUILT_IN_SKILLS in AttackSkillsSection.tsx
- Add xss* fields to Prisma schema

Uses existing tools (kali_shell -> dalfox, execute_curl) - no new MCP
servers required.

Inspired-by: samugit83#72 (Shafranpackeer/xss-attack-module)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@Shafranpackeer @claude
docs: add attack skills roadmap for future implementation
e5dfc20 
Document planned attack skills following prompt-based pattern:
- Priority 1: SSRF, Command Injection, SSTI
- Priority 2: NoSQL Injection, XXE, LFI/RFI
- Priority 3: JWT, GraphQL, WebSocket attacks
- Priority 4: Deserialization, HTTP Smuggling

Includes implementation pattern and references.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Shafranpackeer