Dynamic security testing of web forms using Playwright browser automation. Sends actual payloads to test for vulnerabilities. REQUIRES USER CONFIRMATION before execution. Use when user wants to "test payloads", "dynamic security test", "exploit testing", "penetration test forms".
This skill inherits all available tools. When active, it can use any tool Claude has access to.
dist/index.d.tsdist/index.jsdist/index.js.mappackage.jsonsrc/cli.tssrc/index.tssrc/payloads.tssrc/reporter.tssrc/runner.tssrc/types.tstsconfig.jsonDynamic security testing with real browser automation. This skill sends actual payloads to targets.
This skill sends real requests. ALWAYS get user confirmation first.
Security Test Plan
Target: http://localhost:3000/login
Payloads to send:
1. [XSS] <script>alert(1)</script> -> username field
2. [SQLi] ' OR '1'='1 -> password field
This will send real requests to the target.
Potential bounty: $5,000 - $15,000
Proceed? (yes/no)
# Install dependencies
cd ${CLAUDE_PLUGIN_ROOT}/skills/playwright-security-runner && npm install
# Dry run - shows what would be tested (SAFE)
npm --prefix ${CLAUDE_PLUGIN_ROOT}/skills/playwright-security-runner run dev -- \
--url "http://localhost:3000/login" \
--dry-run
# Actually run tests (REQUIRES CONFIRMATION)
npm --prefix ${CLAUDE_PLUGIN_ROOT}/skills/playwright-security-runner run dev -- \
--url "http://localhost:3000/login" \
--test xss,sqli
# Or after building
npm --prefix ${CLAUDE_PLUGIN_ROOT}/skills/playwright-security-runner run build
node ${CLAUDE_PLUGIN_ROOT}/skills/playwright-security-runner/dist/index.js \
--url "http://localhost:3000/login" \
--test xss,sqli
| Type | What It Tests | Payloads |
|---|---|---|
xss | Cross-site scripting | Script tags, event handlers |
sqli | SQL injection | Quotes, UNION, comments |
auth | Authentication | Bypass attempts |
| Option | Description |
|---|---|
--url <url> | Target URL (required) |
--form <selector> | CSS selector for form (optional) |
--test <types> | Comma-separated test types |
--dry-run | Show plan without executing |
--screenshot | Capture screenshots of results |
--json | Output as JSON |
--headed | Run with visible browser |
WARNING: Production URL Detected
The target URL appears to be a production system:
https://example.com/login
Security testing against production:
- May cause service disruption
- Could trigger security alerts
- May violate terms of service
Ensure you have authorization to test this target.
npm run dev -- --url "http://target.com" --dry-run
Output:
DRY RUN MODE
Target: http://target.com/login
Form: All forms
Tests: xss, sqli
Payloads that would be sent:
[XSS] - Bounty: $500 - $10,000
1. script-tag: <script>alert(1)</script>...
2. img-onerror: <img src=x onerror=alert(1)>...
No requests sent. Remove --dry-run to execute tests.
## VULNERABILITY FOUND
**Type**: Reflected XSS
**Severity**: HIGH
**Bounty Estimate**: $2,000 - $10,000
**Target**: http://localhost:3000/search
**Field**: query
**Payload**: <script>alert(1)</script>
**Evidence**:
- Payload reflected in response without encoding
- Alert dialog triggered
**Screenshot**: ./screenshots/xss-001.png