security.test_xss
Test web applications for Cross-Site Scripting vulnerabilities using non-destructive payloads to identify security weaknesses in target URLs and parameters.
Instructions
Test for XSS vulnerabilities (non-destructive payloads)
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| url | Yes | Target URL | |
| params | No | Parameters to test (key-value pairs) | |
| method | No | HTTP method | GET |
Implementation Reference
- src/tools/security.ts:31-121 (handler)The main async handler function implementing the security.test_xss tool logic. Tests target URL with multiple XSS payloads, checks for reflections in body/headers, determines vulnerability, saves findings to database if detected, and returns formatted ToolResult with test summary.
async ({ url, params = {}, method = 'GET' }: any): Promise<ToolResult> => { try { const payloads = [ '<script>alert(1)</script>', '"><img src=x onerror=alert(1)>', "'><svg onload=alert(1)>", 'javascript:alert(1)', '<iframe src=javascript:alert(1)>', ]; const results: SecurityTestResult[] = []; for (const payload of payloads) { try { let response: AxiosResponse; const testParams = { ...params, test: payload }; if (method === 'GET') { response = await axios.get(url, { params: testParams, validateStatus: () => true, timeout: 15000, headers: { 'User-Agent': 'Mozilla/5.0', }, }); } else { response = await axios.post(url, testParams, { validateStatus: () => true, timeout: 15000, headers: { 'User-Agent': 'Mozilla/5.0', 'Content-Type': 'application/x-www-form-urlencoded', }, }); } const body = typeof response.data === 'string' ? response.data : JSON.stringify(response.data); const reflected = body.includes(payload); const inHeaders = JSON.stringify(response.headers).includes(payload); const result: SecurityTestResult = { payload, response: { status: response.status, reflected, inHeaders, bodyLength: body.length, }, }; if (reflected || inHeaders) { result.vulnerability = 'XSS'; result.severity = 'high'; await saveFinding({ target: url, type: 'XSS', severity: 'high', description: `Potential XSS vulnerability - payload reflected: ${payload}`, payload, response: body.substring(0, 1000), timestamp: new Date(), score: 8, }); } results.push(result); } catch (error: any) { results.push({ payload, error: error.message, }); } } const xssScore = results.some((r: any) => r.vulnerable) ? 7 : 3; await saveTestResult(url, 'xss_test', true, { results }, undefined, xssScore, JSON.stringify(params), JSON.stringify(results)); return formatToolResult(true, { results, summary: { totalTests: payloads.length, potentialVulns: results.filter((r) => r.vulnerability).length, }, }); } catch (error: any) { await saveTestResult(url, 'xss_test', false, null, error.message, 0, undefined, undefined); return formatToolResult(false, null, error.message); } } - src/tools/security.ts:12-30 (schema)InputSchema object defining the tool's parameters: url (required string), params (optional object), method (optional string enum GET/POST/PUT with default GET).
description: 'Test for XSS vulnerabilities (non-destructive payloads)', inputSchema: { type: 'object', properties: { url: { type: 'string', description: 'Target URL' }, params: { type: 'object', description: 'Parameters to test (key-value pairs)', }, method: { type: 'string', description: 'HTTP method', enum: ['GET', 'POST', 'PUT'], default: 'GET', }, }, required: ['url'], }, }, - src/tools/security.ts:10-122 (registration)server.tool('security.test_xss', schema, handler) call within registerSecurityTools function, registering the tool on the MCP Server instance.
'security.test_xss', { description: 'Test for XSS vulnerabilities (non-destructive payloads)', inputSchema: { type: 'object', properties: { url: { type: 'string', description: 'Target URL' }, params: { type: 'object', description: 'Parameters to test (key-value pairs)', }, method: { type: 'string', description: 'HTTP method', enum: ['GET', 'POST', 'PUT'], default: 'GET', }, }, required: ['url'], }, }, async ({ url, params = {}, method = 'GET' }: any): Promise<ToolResult> => { try { const payloads = [ '<script>alert(1)</script>', '"><img src=x onerror=alert(1)>', "'><svg onload=alert(1)>", 'javascript:alert(1)', '<iframe src=javascript:alert(1)>', ]; const results: SecurityTestResult[] = []; for (const payload of payloads) { try { let response: AxiosResponse; const testParams = { ...params, test: payload }; if (method === 'GET') { response = await axios.get(url, { params: testParams, validateStatus: () => true, timeout: 15000, headers: { 'User-Agent': 'Mozilla/5.0', }, }); } else { response = await axios.post(url, testParams, { validateStatus: () => true, timeout: 15000, headers: { 'User-Agent': 'Mozilla/5.0', 'Content-Type': 'application/x-www-form-urlencoded', }, }); } const body = typeof response.data === 'string' ? response.data : JSON.stringify(response.data); const reflected = body.includes(payload); const inHeaders = JSON.stringify(response.headers).includes(payload); const result: SecurityTestResult = { payload, response: { status: response.status, reflected, inHeaders, bodyLength: body.length, }, }; if (reflected || inHeaders) { result.vulnerability = 'XSS'; result.severity = 'high'; await saveFinding({ target: url, type: 'XSS', severity: 'high', description: `Potential XSS vulnerability - payload reflected: ${payload}`, payload, response: body.substring(0, 1000), timestamp: new Date(), score: 8, }); } results.push(result); } catch (error: any) { results.push({ payload, error: error.message, }); } } const xssScore = results.some((r: any) => r.vulnerable) ? 7 : 3; await saveTestResult(url, 'xss_test', true, { results }, undefined, xssScore, JSON.stringify(params), JSON.stringify(results)); return formatToolResult(true, { results, summary: { totalTests: payloads.length, potentialVulns: results.filter((r) => r.vulnerability).length, }, }); } catch (error: any) { await saveTestResult(url, 'xss_test', false, null, error.message, 0, undefined, undefined); return formatToolResult(false, null, error.message); } } ); - src/index.ts:37-37 (registration)Invocation of registerSecurityTools(server) in main server setup, which registers the security.test_xss tool among others.
registerSecurityTools(server);