XSS Vulnerability

Looking at potential hidden ways that one can use prompt injection to bypass through different google services with XSS insertion

Comment

Inspiration

As penetration testers and security researchers, we noticed a serious gap in fast, AI-assisted tooling for discovering real-time XSS vulnerabilities—especially in early-stage prototypes and DevOps pipelines. This project was born to bridge that gap using automation, Google Cloud services, and headless browser simulation.

What it does

Scans form inputs, URL params, and DOM events for XSS injection points • Uses an AI model to mutate known payloads and bypass filters • Simulates execution in headless Chromium using Puppeteer • Confirms DOM-based, reflected, and stored XSS by capturing rendered artifacts • Generates a visual log of payload success, including sandboxed screenshots and execution chains

How we built it

Backend: Node.js with Express.js • Scanning Logic: Puppeteer (Chrome DevTools Protocol) • AI Payload Mutation: OpenAI API (custom prompt chaining) • Deployment: Google Cloud Run and Firebase • Storage & Logs: Firestore for event logs, and GCS for screenshot payloads • CI/CD: GitHub Actions auto-deploys from secure branches

Challenges we ran into

Backend: Node.js with Express.js • Scanning Logic: Puppeteer (Chrome DevTools Protocol) • AI Payload Mutation: OpenAI API (custom prompt chaining) • Deployment: Google Cloud Run and Firebase • Storage & Logs: Firestore for event logs, and GCS for screenshot payloads • CI/CD: GitHub Actions auto-deploys from secure branches

Accomplishments that we're proud of

Developed a working AI fuzzing engine that mutates payloads in real-time • Built a live preview system that renders success/failure of injection chains • Successfully detected reflected XSS on 3 sandboxed test apps within 2 minutes • Reached over 90% true-positive detection in our internal testing suite

What we learned

• XSS in modern apps is more about DOM awareness than raw payload injection • AI can meaningfully assist in fuzzing when paired with input context • Test automation is crucial—manual scanning wouldn’t scale across user flows • Developers benefit from seeing what an attacker sees—in the browser

What's next for XSS Vulnerability

Add WebSocket and iframe listener support for deeper injection vectors • Integrate webhook alerts for Slack, Discord, and PagerDuty • Launch a browser extension to scan forms before submission • Offer it as a CI plugin to catch new XSS vectors during commits

Built With

Share this project:

Updates