This is a practical XSS reference that skips the basics and goes straight to the techniques that catch people off guard. You get context-specific payloads for when reflection lands in HTML attributes, JavaScript strings, or DOM sinks, plus WAF bypass strategies like parameter name injection and encoding chains. The multi-reflection attacks and CSP bypass section using JSONP endpoints or AngularJS CDN whitelists are especially useful for real pentests. It assumes you already know alert(1) and focuses on the stuff base models miss: postMessage origin bypasses, PHP_SELF path injection, and framework-specific vectors. The routing to companion files for mXSS, DOM clobbering, and XS-Leaks is helpful when you need to go deeper without cluttering the main playbook.
npx skills add https://github.com/yaklang/hack-skills --skill xss-cross-site-scripting