Client-Side Testing (/test-client)¶
/test-client is now a compatibility router. Real execution should prefer:
/test-csrf-cors/test-dom/test-client-misc
These dedicated entrypoints keep the same methodology while avoiding the old monolithic prompt load.
/test-client <target_url> [scope] [engagement_dir]
/test-client <target_url> --scope <csrf-cors|dom|misc> [engagement_dir]
Scope Routing¶
| Scope | Dedicated Skill | Focus |
|---|---|---|
csrf-cors |
/test-csrf-cors |
CSRF, CORS, clickjacking, DoubleClickjacking, cookie tossing, cross-origin browser trust |
dom |
/test-dom |
Source-sink analysis, DOM XSS, postMessage, DOM clobbering, dangling markup, CSTI, XSSI |
misc |
/test-client-misc |
WebSockets, CSP bypass, service workers, XS-Leaks, CSPT, reverse tabnabbing, prototype pollution |
Coverage by Sub-Skill¶
/test-csrf-cors-- Covers SameSite-aware CSRF analysis, JSON/content-type downgrade, CORS trust issues, clickjacking, DoubleClickjacking, and cookie-assisted cross-origin abuse./test-dom-- Covers mandatory JS sink discovery, DOM XSS path tracing,postMessage, DOM clobbering, dangling markup, client-side template injection, and related DOM flows./test-client-misc-- Covers WebSocket auth and message security, CSP bypass, service-worker abuse, XS-Leaks, CSPT, reverse tabnabbing, and prototype-pollution gadget verification.
Router Behavior¶
If --scope is supplied, /test-client immediately routes to the matching dedicated skill. Without --scope, the intended execution order is:
/test-csrf-cors/test-dom/test-client-misc
The session-cookie endpoint discovery prerequisite still applies to all three scopes.
Model and Thinking Budget¶
| Component | Model | Rationale |
|---|---|---|
/test-csrf-cors |
Opus (medium) | Cross-origin reasoning with browser policy checks |
/test-dom |
Opus (high) | Source-sink and browser execution-path reasoning |
/test-client-misc |
Opus (medium) | Advanced but more pattern-driven browser attack surface |
Kill Switch¶
| Limit | Value |
|---|---|
| Timeout | 45 minutes |
| Max requests | 500 (warning at 400) |
Critical Behaviors Preserved¶
- Session-cookie discovery still runs before scoring CSRF, DOM-auth, or WebSocket conclusions.
- SameSite and credential mode still gate CSRF severity.
- DOM findings still require a viable attacker-controlled path to a dangerous sink.
- WebSocket, CSP, XS-Leak, and prototype-pollution findings still require browser-visible impact.
Knowledge Packs and Cheatsheets¶
| Resource | Path |
|---|---|
| Shared router bootstrap | helpers/scope-bootstrap.md |
| CSRF knowledge | helpers/knowledge-csrf.md (loaded by /test-csrf-cors) |
| Client-side advanced reference | helpers/knowledge-client-side.md |
| CSRF/CORS cheatsheet | helpers/cheatsheet-csrf-cors.md |
| Research terms | helpers/research-terms.md |
External payload files: PayloadsAllTheThings CSRF, CORS, XSS, and WebSocket payloads.
Safety¶
- Use realistic browser PoCs instead of noisy payload spam.
- Stop after one reproducible browser-side proof per pattern.
- Treat static JS grep matches as leads until execution or exploitable policy behavior is confirmed.