profile_id: xss-generic
match_rules:
  keywords:
    - xss
    - cross-site scripting
    - dom xss
    - trusted types
vuln_family: xss
provisioning_mode: synthetic
artifact_source:
  strategy: official-image-or-synthetic
required_services:
  - app
seed_actions:
  - kind: note
    message: Seed a low-privilege user and a review page when the target supports stored content.
baseline_actions:
  - kind: http-get
    path: /
attack_actions:
  - kind: tool
    tool: xss-fuzzer
    args:
      - "-u"
      - "{target_url}"
      - "--dom-scan"
      - "--check-csp"
      - "--evidence-dir"
      - "{evidence_dir}"
      - "--run-id"
      - "{run_id}"
      - "--case-id"
      - "{case_id}"
browser_assertions:
  required: true
  strategy: reflect-or-render
success_criteria:
  - Browser evidence confirms payload reflection or DOM sink execution path.
cleanup_policy: destroy
destructive_risk: low
allowed_target_types:
  - lab-local
  - lab-public
  - authorized-third-party