dangling-markup-injection
CommunityExfiltrate data when CSP blocks JavaScript.
Software Engineering#csp#web security#data exfiltration#html injection#xss mitigation bypass#csrf token theft#browser parsing
AuthorDorianGallo
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Dangling markup injection helps you steal sensitive page data even when classic XSS is blocked by CSP or sanitizers that remove script execution.
Core Features & Use Cases
- HTML injection exfiltration without JavaScript: Use unclosed tags to force the browser to load attacker-controlled URLs that include captured content.
- Context- and browser-aware vectors: Choose tag types and quote contexts to maximize what gets consumed and exfiltrated across Chrome/Firefox/Safari differences.
- Data targeting for real apps: Focus on CSRF tokens, pre-filled form values, session identifiers, and other secrets present after the injection point.
- Amplification and chaining: Pair with CSRF, open redirects, and cache deception to increase impact when needed.
Quick Start
Use the dangling-markup-injection skill to identify an HTML injection point on a page where secrets appear after it, then select a CSP-compliant dangling tag vector that forces the browser to send those secrets to a controlled endpoint.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: dangling-markup-injection Download link: https://github.com/DorianGallo/hack-skills-local/archive/main.zip#dangling-markup-injection Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.