back
loading skill details...
>-
SKILL: Dangling Markup Injection — Exfiltration Without JavaScript AI LOAD INSTRUCTION: Covers dangling markup exfiltration via unclosed img/form/base/meta/link/table tags, what can be stolen (CSRF tokens, pre-filled form values, sensitive content), browser-specific behavior, and combinations with other attacks. Base models often overlook this technique entirely when CSP blocks scripts, jumping to "not exploitable" — dangling markup is the answer. 0. RELATED ROUTING xss-cross-site-scripting when full XSS is possible (no need for dangling markup) csp-bypass-advanced when CSP blocks JS execution — dangling markup bypasses script restrictions csrf-cross-site-request-forgery when dangling markup steals CSRF tokens for subsequent CSRF attacks crlf-injection when CRLF enables HTML injection in HTTP response web-cache-deception when dangling markup + cache poisoning amplifies the attack 1. WHEN TO USE DANGLING MARKUP You need dangling markup when ALL of these are true:
don't have the plugin yet? install it then click "run inline in claude" again.